Commonwealth of Australia Bills Commonwealth of Australia Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
2019-2020
The Parliament of the
Commonwealth of Australia
HOUSE OF REPRESENTATIVES
Presented and read a first time
Security Legislation Amendment
(Critical Infrastructure) Bill 2020
No. , 2020
(Home Affairs)
A Bill for an Act to amend legislation relating to
critical infrastructure, and for other purposes
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
i
Contents
1
Short title ........................................................................................... 1
2
Commencement ................................................................................. 1
3
Schedules ........................................................................................... 3
Schedule 1--Security of critical infrastructure
4
Part 1--General amendments
4
Administrative Decisions (Judicial Review) Act 1977
4
AusCheck Act 2007
4
Security of Critical Infrastructure Act 2018
4
Part 2--Application provisions
143
Part 3--Amendments contingent on the commencement of the
Federal Circuit and Family Court of Australia Act
2020
144
Security of Critical Infrastructure Act 2018
144
Part 4--Amendments contingent on the commencement of the
National Emergency Declaration Act 2020
145
National Emergency Declaration Act 2020
145
Security of Critical Infrastructure Act 2018
145
Schedule 2--Australian Signals Directorate
146
Criminal Code Act 1995
146
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
1
A Bill for an Act to amend legislation relating to
1
critical infrastructure, and for other purposes
2
The Parliament of Australia enacts:
3
1 Short title
4
This Act is the
Security Legislation Amendment (Critical
5
Infrastructure) Act 2020
.
6
2 Commencement
7
(1) Each provision of this Act specified in column 1 of the table
8
commences, or is taken to have commenced, in accordance with
9
column 2 of the table. Any other statement in column 2 has effect
10
according to its terms.
11
12
2
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Commencement information
Column 1
Column 2
Column 3
Provisions
Commencement
Date/Details
1. Sections 1 to 3
and anything in
this Act not
elsewhere covered
by this table
The day this Act receives the Royal Assent.
2. Schedule 1,
Parts 1 and 2
A single day to be fixed by Proclamation.
However, if the provisions do not commence
within the period of 6 months beginning on
the day this Act receives the Royal Assent,
they commence on the day after the end of
that period.
3. Schedule 1,
Part 3
The later of:
(a) immediately after the commencement of
the provisions covered by table item 2;
and
(b) the commencement of the
Federal
Circuit and Family Court of Australia
Act 2020
.
However, the provisions do not commence
at all if the event mentioned in paragraph (b)
does not occur.
4. Schedule 1,
Part 4
The later of:
(a) immediately after the commencement of
the provisions covered by table item 2;
and
(b) the commencement of the
National
Emergency Declaration Act 2020
.
However, the provisions do not commence
at all if the event mentioned in paragraph (b)
does not occur.
5. Schedule 2
The day after this Act receives the Royal
Assent.
Note:
This table relates only to the provisions of this Act as originally
1
enacted. It will not be amended to deal with any later amendments of
2
this Act.
3
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
3
(2) Any information in column 3 of the table is not part of this Act.
1
Information may be inserted in this column, or information in it
2
may be edited, in any published version of this Act.
3
3 Schedules
4
Legislation that is specified in a Schedule to this Act is amended or
5
repealed as set out in the applicable items in the Schedule
6
concerned, and any other item in a Schedule to this Act has effect
7
according to its terms.
8
Schedule 1
Security of critical infrastructure
Part 1
General amendments
4
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Schedule 1--Security of critical infrastructure
1
Part 1--General amendments
2
Administrative Decisions (Judicial Review) Act 1977
3
1 Before paragraph (da) of Schedule 1
4
Insert:
5
(dae) decisions under Part 3A of the
Security of Critical
6
Infrastructure Act 2018
;
7
AusCheck Act 2007
8
2 Subsection 4(1)
9
Insert:
10
critical infrastructure risk management program
has the same
11
meaning as in the
Security of Critical Infrastructure Act 2018
.
12
3 After paragraph 8(1)(b)
13
Insert:
14
(ba) critical infrastructure risk management programs are
15
required, by rules made under the
Security of Critical
16
Infrastructure Act 2018
, to include provisions that require
17
background checks of individuals to be conducted under the
18
AusCheck scheme; or
19
Security of Critical Infrastructure Act 2018
20
4 Section 3
21
Omit "to national security".
22
5 At the end of section 3
23
Add:
24
; and (c) requiring responsible entities for critical infrastructure assets
25
to identify and manage risks relating to those assets; and
26
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
5
(d) imposing enhanced cyber security obligations on relevant
1
entities for systems of national significance in order to
2
improve their preparedness for, and ability to respond to,
3
cyber security incidents; and
4
(e) providing a regime for the Commonwealth to respond to
5
serious cyber security incidents.
6
6 Section 4
7
Repeal the section, substitute:
8
4 Simplified outline of this Act
9
This Act creates a framework for managing risks relating to critical
10
infrastructure.
11
The framework consists of the following:
12
(a)
the keeping of a register of information in relation to
13
critical infrastructure assets (the register will not be
14
made public);
15
(b)
requiring the responsible entity for one or more critical
16
infrastructure assets to have, and comply with, a critical
17
infrastructure risk management program;
18
(c)
requiring notification of cyber security incidents;
19
(d)
imposing enhanced cyber security obligations that relate
20
to systems of national significance;
21
(e)
requiring certain entities relating to a critical
22
infrastructure asset to provide information in relation to
23
the asset, and to notify if certain events occur in relation
24
to the asset;
25
(f)
allowing the Minister to require certain entities relating
26
to a critical infrastructure asset to do, or refrain from
27
doing, an act or thing if the Minister is satisfied that
28
there is a risk of an act or omission that would be
29
prejudicial to security;
30
(g)
allowing the Secretary to require certain entities relating
31
to a critical infrastructure asset to provide certain
32
information or documents;
33
Schedule 1
Security of critical infrastructure
Part 1
General amendments
6
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(h)
setting up a regime for the Commonwealth to respond to
1
serious cyber security incidents;
2
(i)
allowing the Secretary to undertake an assessment of a
3
critical infrastructure asset to determine if there is a risk
4
to national security relating to the asset.
5
Certain information obtained or generated under, or relating to the
6
operation of, this Act is protected information. There are
7
restrictions on when a person may make a record of, use or
8
disclose protected information.
9
Civil penalty provisions of this Act may be enforced using civil
10
penalty orders, injunctions or infringement notices, and
11
enforceable undertakings may be accepted in relation to
12
compliance with civil penalty provisions. The Regulatory Powers
13
Act is applied for these purposes. Certain provisions of this Act are
14
subject to monitoring and investigation under the Regulatory
15
Powers Act. Certain provisions of this Act may be enforced by
16
imposing a criminal penalty.
17
The Minister may privately declare an asset to be a critical
18
infrastructure asset.
19
The Minister may privately declare a critical infrastructure asset to
20
be a system of national significance.
21
The Secretary must give the Minister reports, for presentation to
22
the Parliament, on the operation of this Act.
23
7 Section 5
24
Insert:
25
access
, in relation to a computer program, means the execution of
26
the computer program.
27
access to computer data
means:
28
(a) in a case where the computer data is held in a computer--the
29
display of the data by the computer or any other output of the
30
data from the computer; or
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
7
(b) in a case where the computer data is held in a computer--the
1
copying or moving of the data to:
2
(i) any other location in the computer; or
3
(ii) another computer; or
4
(iii) a data storage device; or
5
(c) in a case where the computer data is held in a data storage
6
device--the copying or moving of the data to:
7
(i) a computer; or
8
(ii) another data storage device.
9
aircraft operator
has the same meaning as in the
Aviation
10
Transport Security Act 2004
.
11
airport
has the same meaning as in the
Aviation Transport Security
12
Act 2004
.
13
airport operator
has the same meaning as in the
Aviation
14
Transport Security Act 2004
.
15
air service
has the same meaning as in the
Aviation Transport
16
Security Act 2004
.
17
approved staff member of the authorised agency
has the meaning
18
given by section 35BJ.
19
ASD
means the Australian Signals Directorate.
20
asset
includes:
21
(a) a system; and
22
(b) a network; and
23
(c) a facility; and
24
(d) a computer; and
25
(e) a computer device; and
26
(f) a computer program; and
27
(g) computer data; and
28
(h) premises; and
29
(i) any other thing.
30
associated entity
has the same meaning as in the
Corporations Act
31
2001
.
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
8
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
associated transmission facility
means:
1
(a) an antenna; or
2
(b) a combiner; or
3
(c) a feeder system; or
4
(d) an apparatus; or
5
(e) an item of equipment; or
6
(f) a structure; or
7
(g) a line; or
8
(h) an electricity cable or wire;
9
that is associated with a radiocommunications transmitter.
10
AusCheck scheme
has the same meaning as in the
AusCheck Act
11
2007
.
12
Australia
, when used in a geographical sense, includes the external
13
Territories.
14
Australian CS facility licence
has the same meaning as in
15
Chapter 7 of the
Corporations Act 2001
.
16
Australian derivative trade repository licence
has the same
17
meaning as in Chapter 7 of the
Corporations Act 2001
.
18
Australian market licence
has the same meaning as in Chapter 7
19
of the
Corporations Act 2001
.
20
authorised agency
means ASD.
21
authorised deposit-taking institution
has the same meaning as in
22
the
Banking Act 1959
.
23
background check
has the same meaning as in the
AusCheck Act
24
2007
.
25
banking business
has the same meaning as in the
Banking Act
26
1959
.
27
benchmark administrator licence
has the same meaning as in the
28
Corporations Act 2001
.
29
broadcasting re-transmission asset
means:
30
(a) a radiocommunications transmitter; or
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
9
(b) a broadcasting transmission tower; or
1
(c) an associated transmission facility;
2
that is used in connection with the transmission of a service to
3
which, as a result of section 212 of the
Broadcasting Services Act
4
1992
, the regulatory regime established by that Act does not apply.
5
broadcasting service
has the same meaning as in the
Broadcasting
6
Services Act 1992.
7
broadcasting transmission asset
means:
8
(a) a radiocommunications transmitter; or
9
(b) a broadcasting transmission tower; or
10
(c) an associated transmission facility;
11
that is used, or is capable of being used, in connection with the
12
transmission of:
13
(d) a national broadcasting service; or
14
(e) a commercial radio broadcasting service; or
15
(f) a commercial television broadcasting service.
16
broadcasting transmission tower
has the same meaning as in
17
Schedule 4 to the
Broadcasting Services Act 1992.
18
business critical data
means:
19
(a) personal information (within the meaning of the
Privacy Act
20
1988
) that relates to at least 20,000 individuals; or
21
(b) information relating to any research and development in
22
relation to a critical infrastructure asset; or
23
(c) information relating to any systems needed to operate a
24
critical infrastructure asset; or
25
(d) information needed to operate a critical infrastructure asset;
26
or
27
(e) information relating to risk management and business
28
continuity (however described) in relation to a critical
29
infrastructure asset.
30
carriage service
has the same meaning as in the
31
Telecommunications Act 1997.
32
carriage service provider
has the same meaning as in the
33
Telecommunications Act 1997.
34
Schedule 1
Security of critical infrastructure
Part 1
General amendments
10
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
carrier
has the same meaning as in the
Telecommunications Act
1
1997.
2
chief executive of the authorised agency
means the
3
Director-General of ASD.
4
clearing and settlement facility
has the same meaning as in
5
Chapter 7 of the
Corporations Act 2001
.
6
commercial radio broadcasting service
has the same meaning as
7
in the
Broadcasting Services Act 1992.
8
commercial television broadcasting service
has the same meaning
9
as in the
Broadcasting Services Act 1992.
10
communications sector
means the sector of the Australian
11
economy that involves:
12
(a) supplying a carriage service; or
13
(b) providing a broadcasting service; or
14
(c) owning or operating assets that are used in connection with
15
the supply of a carriage service; or
16
(d) owning or operating assets that are used in connection with
17
the transmission of a broadcasting service; or
18
(e) administering an Australian domain name system.
19
computer
means all or part of:
20
(a) one or more computers; or
21
(b) one or more computer systems; or
22
(c) one or more computer networks; or
23
(d) any combination of the above.
24
computer data
means data held in:
25
(a) a computer; or
26
(b) a data storage device.
27
computer device
means a device connected to a computer.
28
connected
includes connection otherwise than by means of
29
physical contact, for example, a connection by means of
30
radiocommunication.
31
constable
has the same meaning as in the
Crimes Act 1914
.
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
11
credit facility
has the meaning given by regulations made for the
1
purposes of paragraph 12BAA(7)(k) of the
Australian Securities
2
and Investments Commission Act 2001
.
3
credit facility business
means a business that offers, or provides
4
services in relation to, a credit facility.
5
critical aviation asset
means:
6
(a) an asset that:
7
(i) is used in connection with the provision of an air
8
service; and
9
(ii) is owned or operated by an aircraft operator; or
10
(b) an asset that:
11
(i) is used in connection with the provision of an air
12
service; and
13
(ii) is owned or operated by a regulated air cargo agent; or
14
(c) an asset that is used by an airport operator in connection with
15
the operation of an airport.
16
Note:
The rules may prescribe that a specified critical aviation asset is not a
17
critical infrastructure asset (see section 9).
18
critical banking asset
has the meaning given by section 12G.
19
Note:
The rules may prescribe that a specified critical banking asset is not a
20
critical infrastructure asset (see section 9).
21
critical broadcasting asset
has the meaning given by section 12E.
22
Note:
The rules may prescribe that a specified critical broadcasting asset is
23
not a critical infrastructure asset (see section 9).
24
critical data storage or processing asset
has the meaning given by
25
section 12F.
26
Note:
The rules may prescribe that a specified critical data storage or
27
processing asset is not a critical infrastructure asset (see section 9).
28
critical defence capability
includes:
29
(a) materiel; and
30
(b) technology; and
31
(c) a platform; and
32
(d) a network; and
33
(e) a system; and
34
Schedule 1
Security of critical infrastructure
Part 1
General amendments
12
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(f) a service;
1
that is required in connection with:
2
(g) the defence of Australia; or
3
(h) national security.
4
critical defence industry asset
means an asset that:
5
(a) is being, or will be, supplied by an entity to the Defence
6
Department, or the Australian Defence Force, under a
7
contract; and
8
(b) consists of, or enables, a critical defence capability.
9
Note:
The rules may prescribe that a specified critical defence industry asset
10
is not a critical infrastructure asset (see section 9).
11
critical domain name system
has the meaning given by
12
section 12KA.
13
Note:
The rules may prescribe that a specified critical domain name system
14
is not a critical infrastructure asset (see section 9).
15
critical education asset
means a university that is owned or
16
operated by an entity that is registered in the Australian university
17
category of the National Register of Higher Education Providers.
18
Note:
The rules may prescribe that a specified critical education asset is not
19
a critical infrastructure asset (see section 9).
20
critical energy market operator
asset
means an asset that:
21
(a) is owned or operated by:
22
(i) Australian Energy Market Operator Limited (ACN
23
072 010 327); or
24
(ii) Power and Water Corporation; or
25
(iii) Regional Power Corporation; or
26
(iv) Electricity Networks Corporation; and
27
(b) is used in connection with the operation of an energy market
28
or system; and
29
(c) is critical to ensuring the security and reliability of an energy
30
market;
31
but does not include:
32
(d) a critical electricity asset; or
33
(e) a critical gas asset; or
34
(f) a critical liquid fuel asset.
35
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
13
Note:
The rules may prescribe that a specified critical energy market
1
operator asset is not a critical infrastructure asset (see section 9).
2
critical financial market infrastructure asset
has the meaning
3
given by section 12D.
4
Note:
The rules may prescribe that a specified critical financial market
5
infrastructure asset is not a critical infrastructure asset (see section 9).
6
critical food and grocery asset
has the meaning given by
7
section 12K.
8
Note:
The rules may prescribe that a specified critical food and grocery asset
9
is not a critical infrastructure asset (see section 9).
10
critical freight infrastructure asset
has the meaning given by
11
section 12B.
12
Note:
The rules may prescribe that a specified critical freight infrastructure
13
asset is not a critical infrastructure asset (see section 9).
14
critical freight services asset
has the meaning given by
15
section 12C.
16
Note:
The rules may prescribe that a specified critical freight services asset
17
is not a critical infrastructure asset (see section 9).
18
critical hospital
means a hospital that has a general intensive care
19
unit.
20
Note:
The rules may prescribe that a specified critical hospital is not a
21
critical infrastructure asset (see section 9).
22
critical infrastructure risk management program
has the meaning
23
given by section 30AH.
24
critical infrastructure sector
has the meaning given by section 8D.
25
critical infrastructure sector asset
has the meaning given by
26
subsection 8E(1).
27
critical insurance asset
has the meaning given by section 12H.
28
Note:
The rules may prescribe that a specified critical insurance asset is not
29
a critical infrastructure asset (see section 9).
30
critical liquid fuel asset
has the meaning given by section 12A.
31
Note:
The rules may prescribe that a specified critical liquid fuel asset is not
32
a critical infrastructure asset (see section 9).
33
Schedule 1
Security of critical infrastructure
Part 1
General amendments
14
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
critical public transport asset
means a public transport network or
1
system that:
2
(a) is managed by a single entity; and
3
(b) is capable of handling at least 5 million passenger journeys
4
per month;
5
but does not include a critical aviation asset.
6
Note:
The rules may prescribe that a specified critical public transport asset
7
is not a critical infrastructure asset (see section 9).
8
critical superannuation asset
has the meaning given by
9
section 12J.
10
Note:
The rules may prescribe that a specified critical superannuation asset
11
is not a critical infrastructure asset (see section 9).
12
critical telecommunications
asset
means:
13
(a) a telecommunications network that is:
14
(i) owned or operated by a carrier; and
15
(ii) used to supply a carriage service; or
16
(b) a telecommunications network, or any other asset, that is:
17
(i) owned or operated by a carriage service provider; and
18
(ii) used in connection with the supply of a carriage service.
19
Note:
The rules may prescribe that a specified critical telecommunications
20
asset is not a critical infrastructure asset (see section 9).
21
cyber security exercise
has the meaning given by section 30CN.
22
cyber security incident
has the meaning given by section 12M.
23
data
includes information in any form.
24
data storage
means data storage that involves information
25
technology, and includes data back-up.
26
data storage device
means a thing (for example, a disk or file
27
server) containing (whether temporarily or permanently), or
28
designed to contain (whether temporarily or permanently), data for
29
use by a computer.
30
data storage or processing provider
means an entity that provides
31
a data storage or processing service.
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
15
data storage or processing sector
means the sector of the
1
Australian economy that involves providing data storage or
2
processing services.
3
data storage or processing service
means:
4
(a) a service that enables end-users to store or back-up data; or
5
(b) a data processing service.
6
Defence Department
means the Department of State that deals
7
with defence and that is administered by the Defence Minister.
8
defence industry sector
means the sector of the Australian
9
economy that involves the provision of critical defence
10
capabilities.
11
Defence Minister
means the Minister administering section 1 of
12
the
Defence Act 1903
.
13
derivative trade repository
has the same meaning as in Chapter 7
14
of the
Corporations Act 2001
.
15
designated officer
has the meaning given by section 30DQ.
16
Electricity Networks Corporation
means the Electricity Networks
17
Corporation established by section 4 of the
Electricity
18
Corporations Act 2005
(WA).
19
electronic communication
means a communication of information
20
in any form by means of guided or unguided electromagnetic
21
energy.
22
energy sector
means the sector of the Australian economy that
23
involves:
24
(a) the production, transmission, distribution or supply of
25
electricity; or
26
(b) the production, processing, transmission, distribution or
27
supply of gas; or
28
(c) the production, processing, transmission, distribution or
29
supply of liquid fuel.
30
engage in conduct
means:
31
(a) do an act or thing; or
32
(b) omit to perform an act or thing.
33
Schedule 1
Security of critical infrastructure
Part 1
General amendments
16
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
evaluation report
has the meaning given by section 30CS.
1
external auditor
means a person authorised under section 30CT to
2
be an external auditor for the purposes of this Act.
3
financial benchmark
has the same meaning as in Part 7.5B of the
4
Corporations Act 2001
.
5
financial market
has the same meaning as in Chapter 7 of the
6
Corporations Act 2001
.
7
financial services and markets sector
means the sector of the
8
Australian economy that involves:
9
(a) carrying on banking business; or
10
(b) operating a superannuation fund; or
11
(c) carrying on insurance business; or
12
(d) carrying on life insurance business; or
13
(e) carrying on health insurance business; or
14
(f) operating a financial market; or
15
(g) operating a clearing and settlement facility;
16
(h) operating a derivative trade repository; or
17
(i) administering a financial benchmark; or
18
(j) operating a payment system; or
19
(k) carrying on financial services business; or
20
(l) carrying on credit facility business.
21
financial services business
has the same meaning as in Chapter 7
22
of the
Corporations Act 2001
.
23
food
means food for human consumption.
24
food and grocery sector
means the sector of the Australian
25
economy that involves:
26
(a) manufacturing; or
27
(b) processing; or
28
(c) packaging; or
29
(d) distributing; or
30
(e) supplying;
31
food or groceries on a commercial basis.
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
17
gas
means a substance that:
1
(a) is in a gaseous state at standard temperature and pressure;
2
and
3
(b) consists of naturally occurring hydrocarbons, or a naturally
4
occurring mixture of hydrocarbons and non-hydrocarbons,
5
the principal constituent of which is methane; and
6
(c) is suitable for consumption.
7
general intensive care unit
means an area within a hospital that:
8
(a) is equipped and staffed so that it is capable of providing to a
9
patient:
10
(i) mechanical ventilation for a period of several days; and
11
(ii) invasive cardiovascular monitoring; and
12
(b) is supported by:
13
(i) during normal working hours--at least one specialist, or
14
consultant physician, in the specialty of intensive care,
15
who is immediately available, and exclusively rostered,
16
to that area; and
17
(ii) at all times--at least one medical practitioner who is
18
present in the hospital and immediately available to that
19
area; and
20
(iii) at least 18 hours each day--at least one nurse; and
21
(c) has admission and discharge policies in operation.
22
government business enterprise
has the same meaning as in the
23
Public Governance, Performance and Accountability Act 2013
.
24
health care
includes:
25
(a) services provided by individuals who practise in any of the
26
following professions or occupations:
27
(i) dental (including the profession of a dentist, dental
28
therapist, dental hygienist, dental prosthetist and oral
29
health therapist);
30
(ii) medical;
31
(iii) medical radiation practice;
32
(iv) nursing;
33
(v) midwifery;
34
(vi) occupational therapy;
35
(vii) optometry;
36
Schedule 1
Security of critical infrastructure
Part 1
General amendments
18
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(viii) pharmacy;
1
(ix) physiotherapy;
2
(x) podiatry;
3
(xi) psychology;
4
(xii) a profession or occupation specified in the rules; and
5
(b) treatment and maintenance as a patient at a hospital.
6
health care and medical sector
means the sector of the Australian
7
economy that involves:
8
(a) the provision of health care; or
9
(b) the production, distribution or supply of medical supplies.
10
health insurance business
has the same meaning as in the
Private
11
Health Insurance Act 2007
.
12
higher education and research sector
means the sector of the
13
Australian economy that involves:
14
(a) being a higher education provider; or
15
(b) undertaking a program of research that:
16
(i) is supported financially (in whole or in part) by the
17
Commonwealth; or
18
(ii) is relevant to a critical infrastructure sector (other than
19
the higher education and research sector).
20
higher education provider
has the same meaning as in the
Tertiary
21
Education Quality and Standards Agency Act 2011
.
22
hospital
has the same meaning as in the
Private Health Insurance
23
Act 2007
.
24
IGIS official
means:
25
(a) the Inspector-General of Intelligence and Security; or
26
(b) any other person covered by subsection 32(1) of the
27
Inspector-General of Intelligence and Security Act 1986
.
28
impairment of electronic communication to or from a computer
29
includes:
30
(a) the prevention of any such communication; and
31
(b) the impairment of any such communication on an electronic
32
link or network used by the computer;
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
19
but does not include a mere interception of any such
1
communication.
2
incident response plan
has the meaning given by section 30CJ.
3
inland waters
means waters within Australia other than waters of
4
the sea.
5
insurance business
has the same meaning as in the
Insurance Act
6
1973
.
7
internet carriage service
means a listed carriage service that
8
enables end-users to access the internet.
9
life insurance business
has the same meaning as in the
Life
10
Insurance Act 1995
.
11
liquid fuel
has the same meaning as in the
Liquid Fuel Emergency
12
Act 1984
.
13
listed carriage service
has the same meaning as in the
14
Telecommunications Act 1997
.
15
local hospital network
has the same meaning as in the
National
16
Health Reform Act 2011.
17
managed service provider
, in relation to an asset, means an entity
18
that:
19
(a) manages:
20
(i) the asset; or
21
(ii) a part of the asset; or
22
(b) manages an aspect of:
23
(i) the asset; or
24
(ii) a part of the asset; or
25
(c) manages an aspect of the operation of:
26
(i) the asset; or
27
(ii) a part of the asset.
28
medical supplies
includes:
29
(a) goods for therapeutic use; and
30
(b) things specified in the rules.
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
20
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Ministerial authorisation
means an authorisation under
1
section 35AB.
2
modification
:
3
(a) in respect of computer data--means:
4
(i) the alteration or removal of the data; or
5
(ii) an addition to the data; or
6
(b) in respect of a computer program--means:
7
(i) the alteration or removal of the program; or
8
(ii) an addition to the program.
9
national broadcasting service
has the same meaning as in the
10
Broadcasting Services Act 1992.
11
National Register of Higher Education Providers
means the
12
register established and maintained under section 198 of the
13
Tertiary Education Quality and Standards Agency Act 2011
.
14
notification provision
means:
15
(a) subsection 35AE(3); or
16
(b) subsection 35AE(4); or
17
(c) subsection 35AE(5); or
18
(d) subsection 35AE(6); or
19
(e) subsection 35AE(7); or
20
(f) subsection 35AE(8); or
21
(g) subsection 35AH(5); or
22
(h) subsection 35AH(6); or
23
(i) subsection 35AH(7); or
24
(j) subsection 35AY(3); or
25
(k) subsection 35AY(4); or
26
(l) subsection 35AY(5); or
27
(m) subsection 35AY(6); or
28
(n) subsection 35AY(7); or
29
(o) subsection 35AY(8); or
30
(p) subsection 51(3); or
31
(q) subsection 52(4); or
32
(r) subsection 52B(3); or
33
(s) subsection 52D(4).
34
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
21
Ombudsman official
means:
1
(a) the Ombudsman; or
2
(b) a Deputy Commonwealth Ombudsman; or
3
(c) a person who is a member of the staff referred to in
4
subsection 31(1) of the
Ombudsman Act 1976
.
5
8 Section 5 (paragraph (b) of the definition of
operator
)
6
Repeal the paragraph, substitute:
7
(b) for a critical infrastructure asset other than a critical port--an
8
entity that operates the asset or part of the asset.
9
9 Section 5
10
Insert:
11
payment system
has the same meaning as in the
Payment Systems
12
(Regulation) Act 1998
.
13
10 Section 5
14
Insert:
15
Power and Water Corporation
means the Power and Water
16
Corporation established by section 4 of the
Power and Water
17
Corporation Act 1987
(NT).
18
11 Section 5 (after paragraph (b) of the definition of
protected
19
information
)
20
Insert:
21
(ba) records or is the fact that an asset is declared under
22
section 52B to be a system of national significance; or
23
(bb) records or is the fact that the Minister has:
24
(i) given a Ministerial authorisation; or
25
(ii) revoked a Ministerial authorisation; or
26
(bc) is, or is included in, a critical infrastructure risk management
27
program that is adopted by an entity in compliance with
28
section 30AC; or
29
(bd) is, or is included in, a report that is given under
30
section 30AG; or
31
(be) is, or is included in, a report under section 30BC or 30BD; or
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
22
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(bf) is, or is included in, an incident response plan adopted by an
1
entity in compliance with section 30CD; or
2
(bg) is, or is included in, an evaluation report prepared under
3
section 30CQ or 30CR; or
4
(bh) is, or is included in, a vulnerability assessment report
5
prepared under section 30CZ; or
6
(bi) is, or is included in, a report prepared in compliance with:
7
(i) a system information periodic reporting notice; or
8
(ii) a system information event-based reporting notice; or
9
(bj) records or is the fact that the Secretary has:
10
(i) given a direction under section 35AK; or
11
(ii) revoked such a direction; or
12
(bk) records or is the fact that the Secretary has:
13
(i) given a direction under section 35AQ; or
14
(ii) revoked such a direction; or
15
(bl) records or is the fact that the Secretary has:
16
(i) given a request under section 35AX; or
17
(ii) revoked such a request; or
18
12 Section 5 (paragraph (c) of the definition of
protected
19
information
)
20
Omit "or (b)", substitute ", (b), (ba), (bb), (bc), (bd), (be), (bf), (bg),
21
(bh), (bi), (bj), (bk) or (bl)".
22
13 Section 5
23
Insert:
24
radiocommunications transmitter
has the same meaning as in the
25
Radiocommunications Act 1992
.
26
regional centre
means a city, or a town that has a population of
27
10,000 or more people.
28
Regional Power Corporation
means the Regional Power
29
Corporation established by section 4 of the
Electricity
30
Corporations Act 2005
(WA).
31
registrable superannuation entity
has the same meaning as in the
32
Superannuation Industry (Supervision) Act 1993
.
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
23
regulated air cargo agent
has the same meaning as in the
Aviation
1
Transport Security Act 2004
.
2
related body corporate
has the same meaning as in the
3
Corporations Act 2001
.
4
relevant Commonwealth regulator
means:
5
(a) a Department that is specified in the rules; or
6
(b) a body that is:
7
(i) established by a law of the Commonwealth; and
8
(ii) specified in the rules.
9
relevant entity
, in relation to an asset, means an entity that:
10
(a) is the responsible entity for the asset; or
11
(b) is a direct interest holder in relation to the asset; or
12
(c) is an operator of the asset; or
13
(d) is a managed service provider for the asset.
14
relevant impact
has the meaning given by section 8G.
15
14 Section 5 (definition of
relevant industry
)
16
Repeal the definition.
17
15 Section 5 (definition of
responsible entity
)
18
Repeal the definition, substitute:
19
responsible entity
, for an asset, has the meaning given by
20
section 12L.
21
16 Section 5 (paragraph (a) of the definition of
security
)
22
Omit "10 and 12", substitute "the definition of
critical energy market
23
operator
asset
and sections 10, 12, 12A, 12D, 12G, 12H, 12J, 12M,
24
12N, 30AG, 30CB, 30CM, 30CR, 30CU and 30CW".
25
17 Section 5 (paragraph (b) of the definition of
security
)
26
Omit "10 and 12", substitute "the definition of
critical energy market
27
operator
asset
and sections 10, 12, 12A, 12D, 12G, 12H, 12J, 12M,
28
12N, 30AG, 30CB, 30CM, 30CR, 30CU and 30CW".
29
Schedule 1
Security of critical infrastructure
Part 1
General amendments
24
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
18 Section 5
1
Insert:
2
significant financial benchmark
has the same meaning as in the
3
Corporations Act 2001
.
4
space technology sector
means the sector of the Australian
5
economy that involves the commercial provision of space-related
6
services.
7
Note:
The following are examples of space-related services:
8
(a) position, navigation and timing services in relation to space
9
objects;
10
(b) space situational awareness services;
11
(c) space weather monitoring and forecasting;
12
(d) communications, tracking, telemetry and control in relation to
13
space objects;
14
(e) remote sensing earth observations from space;
15
(f) facilitating access to space.
16
staff member
, in relation to the authorised agency, means a staff
17
member of ASD (within the meaning of the
Intelligence Services
18
Act 2001
).
19
system information event-based reporting notice
means a notice
20
under subsection 30DC(2).
21
system information periodic reporting notice
means a notice under
22
subsection 30DB(2).
23
system information software notice
means a notice under
24
subsection 30DJ(2).
25
system of national significance
has the meaning given by
26
section 52B.
27
technical assistance notice
has the same meaning as in Part 15 of
28
the
Telecommunications Act 1997
.
29
technical assistance request
has the same meaning as in Part 15 of
30
the
Telecommunications Act 1997
.
31
technical capability notice
has the same meaning as in Part 15 of
32
the
Telecommunications Act 1997
.
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
25
telecommunications network
has the same meaning as in the
1
Telecommunications Act 1997.
2
therapeutic use
has the same meaning as in the
Therapeutic Goods
3
Act 1989
.
4
transport sector
means the sector of the Australian economy that
5
involves:
6
(a) owning or operating assets that are used in connection with
7
the transport of goods or passengers on a commercial basis;
8
or
9
(b) the transport of goods or passengers on a commercial basis.
10
unauthorised access, modification or impairment
has the meaning
11
given by section 12N.
12
vulnerability assessment
has the meaning given by section 30CY.
13
vulnerability assessment report
has the meaning given by
14
section 30DA.
15
water and sewerage sector
means the sector of the Australian
16
economy that involves:
17
(a) operating water or sewerage systems or networks; or
18
(b) manufacturing or supplying goods, or providing services, for
19
use in connection with the operation of water or sewerage
20
systems or networks.
21
19 Section 5 (definition of
water utility
)
22
After "water services", insert "or sewerage services, or both".
23
20 At the end of section 6
24
Add:
25
Interest and control information provided by the Commonwealth
26
(5) If the first entity:
27
(a) is the Governor-General, the Prime Minister or a Minister;
28
and
29
(b) is a direct interest holder in relation to an asset because of
30
paragraph 8(1)(b);
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
26
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
the first entity is not required to provide any interest and control
1
information.
2
Note:
The expression
Minister
is defined in section 2B of the
Acts
3
Interpretation Act 1901
.
4
(6) However, subsection (5) does not affect the obligation of the
5
Commonwealth to provide interest and control information in
6
relation to the asset if the Commonwealth is also a direct interest
7
holder in relation to the asset because of paragraph 8(1)(a) or (b).
8
21 After section 8C
9
Insert:
10
8D Meaning of
critical infrastructure sector
11
Each of the following sectors of the Australian economy is a
12
critical infrastructure sector
:
13
(a) the communications sector;
14
(b) the data storage or processing sector;
15
(c) the financial services and markets sector;
16
(d) the water and sewerage sector;
17
(e) the energy sector;
18
(f) the health care and medical sector;
19
(g) the higher education and research sector;
20
(h) the food and grocery sector;
21
(i) the transport sector;
22
(j) the space technology sector;
23
(k) the defence industry sector.
24
8E Meaning of
critical infrastructure sector asset
25
(1) An asset is a
critical infrastructure sector asset
if it is an asset that
26
relates to a critical infrastructure sector.
27
Deeming--when asset relates to a sector
28
(2) For the purposes of this Act, each of the following assets is taken
29
to relate to the communications sector:
30
(a) a critical telecommunications asset;
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
27
(b) a critical broadcasting asset;
1
(c) a critical domain name system.
2
(3) For the purposes of this Act, a critical data storage or processing
3
asset is taken to relate to the data storage or processing sector.
4
(4) For the purposes of this Act, each of the following assets is taken
5
to relate to the financial services and markets sector:
6
(a) a critical banking asset;
7
(b) a critical superannuation asset;
8
(c) a critical insurance asset;
9
(d) a critical financial market infrastructure asset.
10
(5) For the purposes of this Act, a critical water asset is taken to relate
11
to the water and sewerage sector.
12
(6) For the purposes of this Act, each of the following assets is taken
13
to relate to the energy sector:
14
(a) a critical electricity asset;
15
(b) a critical gas asset;
16
(c) a critical energy market operator asset;
17
(d) a critical liquid fuel asset.
18
(7) For the purposes of this Act, a critical hospital is taken to relate to
19
the health care and medical sector.
20
(8) For the purposes of this Act, a critical education asset is taken to
21
relate to the higher education and research sector.
22
(9) For the purposes of this Act, a critical food and grocery asset is
23
taken to relate to the food and grocery sector.
24
(10) For the purposes of this Act, each of the following assets is taken
25
to relate to the transport sector:
26
(a) a critical port;
27
(b) a critical freight infrastructure asset;
28
(c) a critical freight services asset;
29
(d) a critical public transport asset;
30
(e) a critical aviation asset.
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
28
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(11) For the purposes of this Act, a critical defence industry asset is
1
taken to relate to the defence industry sector.
2
8F Critical infrastructure sector for a critical infrastructure asset
3
For the purposes of this Act, the critical infrastructure sector for a
4
critical infrastructure asset is the critical infrastructure sector to
5
which the asset relates.
6
8G Meaning of
relevant impact
7
(1) Each of the following is a
relevant impact
of a hazard on a critical
8
infrastructure asset:
9
(a) the impact (whether direct or indirect) of the hazard on the
10
availability of the asset;
11
(b) the impact (whether direct or indirect) of the hazard on the
12
integrity of the asset;
13
(c) the impact (whether direct or indirect) of the hazard on the
14
reliability of the asset;
15
(d) the impact (whether direct or indirect) of the hazard on the
16
confidentiality of:
17
(i) information about the asset; or
18
(ii) if information is stored in the asset--the information; or
19
(iii) if the asset is computer data--the computer data.
20
(2) Each of the following is a
relevant impact
of a cyber security
21
incident on a critical infrastructure asset:
22
(a) the impact (whether direct or indirect) of the incident on the
23
availability of the asset;
24
(b) the impact (whether direct or indirect) of the incident on the
25
integrity of the asset;
26
(c) the impact (whether direct or indirect) of the incident on the
27
reliability of the asset;
28
(d) the impact (whether direct or indirect) of the incident on the
29
confidentiality of:
30
(i) information about the asset; or
31
(ii) if information is stored in the asset--the information; or
32
(iii) if the asset is computer data--the computer data.
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
29
(3) Each of the following is a
relevant impact
of a cyber security
1
incident on a system of national significance:
2
(a) the impact (whether direct or indirect) of the incident on the
3
availability of the system;
4
(b) the impact (whether direct or indirect) of the incident on the
5
integrity of the system;
6
(c) the impact (whether direct or indirect) of the incident on the
7
reliability of the system;
8
(d) the impact (whether direct or indirect) of the incident on the
9
confidentiality of:
10
(i) information about the system; or
11
(ii) if information is stored in the system--the information;
12
or
13
(iii) if the system is computer data--the computer data.
14
22 Paragraphs 9(1)(a), (b), (c) and (d)
15
Repeal the paragraphs, substitute:
16
(a) a critical telecommunications asset; or
17
(b) a critical broadcasting asset; or
18
(c) a critical domain name system; or
19
(d) a critical data storage or processing asset; or
20
(da) a critical banking asset; or
21
(db) a critical superannuation asset; or
22
(dc) a critical insurance asset; or
23
(dd) a critical financial market infrastructure asset; or
24
(de) a critical water asset; or
25
(df) a critical electricity asset; or
26
(dg) a critical gas asset; or
27
(dh) a critical energy market operator asset; or
28
(di) a critical liquid fuel asset; or
29
(dj) a critical hospital; or
30
(dk) a critical education asset; or
31
(dl) a critical food and grocery asset; or
32
(dm) a critical port; or
33
(dn) a critical freight infrastructure asset; or
34
(do) a critical freight services asset; or
35
Schedule 1
Security of critical infrastructure
Part 1
General amendments
30
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(dp) a critical public transport asset; or
1
(dq) a critical aviation asset; or
2
(dr) a critical defence industry asset; or
3
23 At the end of subsection 9(1)
4
Add:
5
Note:
For prescription by class, see subsection 13(3) of the
Legislation Act
6
2003
.
7
24 Paragraphs 9(2)(a), (b), (c) and (d)
8
Repeal the paragraphs, substitute:
9
(a) a critical telecommunications asset; or
10
(b) a critical broadcasting asset; or
11
(c) a critical domain name system; or
12
(d) a critical data storage or processing asset; or
13
(e) a critical banking asset; or
14
(f) a critical superannuation asset; or
15
(g) a critical insurance asset; or
16
(h) a critical financial market infrastructure asset; or
17
(i) a critical water asset; or
18
(j) a critical electricity asset; or
19
(k) a critical gas asset; or
20
(l) a critical energy market operator asset; or
21
(m) a critical liquid fuel asset; or
22
(n) a critical hospital; or
23
(o) a critical education asset; or
24
(p) a critical food and grocery asset; or
25
(q) a critical port; or
26
(r) a critical freight infrastructure asset; or
27
(s) a critical freight services asset; or
28
(t) a critical public transport asset; or
29
(u) a critical aviation asset; or
30
(v) a critical defence industry asset;
31
25 At the end of subsection 9(2)
32
Add:
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
31
Note:
For prescription by class, see subsection 13(3) of the
Legislation Act
1
2003
.
2
26 After subsection 9(2)
3
Insert:
4
(2A) If an asset is owned by:
5
(a) the Commonwealth; or
6
(b) a body corporate established by a law of the Commonwealth
7
(other than a government business enterprise);
8
the asset is not a critical infrastructure asset unless:
9
(c) the asset is declared under section 51 to be a critical
10
infrastructure asset; or
11
(d) the asset is prescribed by the rules for the purposes of
12
paragraph (1)(f).
13
(2B) An asset is not a critical infrastructure asset if, or to the extent to
14
which, the asset is located outside Australia.
15
27 Paragraph 9(3)(b)
16
Repeal the paragraph, substitute:
17
(b) the asset relates to a critical infrastructure sector.
18
28 Subparagraph 9(4)(a)(i)
19
Before "located", insert "wholly or partly".
20
29 Subparagraph 9(4)(a)(ii)
21
Omit "industry for the asset", substitute "critical infrastructure sector".
22
30 Paragraph 10(1)(a)
23
After "customers", insert "or any other number of customers prescribed
24
by the rules".
25
31 Paragraph 12(1)(b)
26
Repeal the paragraph, substitute:
27
(b) a gas storage facility that has a maximum daily withdrawal
28
capacity of at least 75 terajoules per day or any other
29
maximum daily withdrawal capacity prescribed by the rules;
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
32
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
32 After section 12
1
Insert:
2
12A Meaning of
critical liquid fuel asset
3
(1) An asset is a
critical liquid fuel asset
if it is any of the following:
4
(a) a liquid fuel refinery that is critical to ensuring the security
5
and reliability of a liquid fuel market, in accordance with
6
subsection (2);
7
(b) a liquid fuel pipeline that is critical to ensuring the security
8
and reliability of a liquid fuel market, in accordance with
9
subsection (3);
10
(c) a liquid fuel storage facility that is critical to ensuring the
11
security and reliability of a liquid fuel market, in accordance
12
with subsection (4).
13
Note:
The rules may prescribe that a specified critical liquid fuel asset is not
14
a critical infrastructure asset (see section 9).
15
(2) For the purposes of paragraph (1)(a), the rules may prescribe:
16
(a) specified liquid fuel refineries that are critical to ensuring the
17
security and reliability of a liquid fuel market; or
18
(b) requirements for a liquid fuel refinery to be critical to
19
ensuring the security and reliability of a liquid fuel market.
20
(3) For the purposes of paragraph (1)(b), the rules may prescribe:
21
(a) specified liquid fuel pipelines that are critical to ensuring the
22
security and reliability of a liquid fuel market; or
23
(b) requirements for a liquid fuel pipeline to be critical to
24
ensuring the security and reliability of a liquid fuel market.
25
(4) For the purposes of paragraph (1)(c), the rules may prescribe:
26
(a) specified liquid fuel storage facilities that are critical to
27
ensuring the security and reliability of a liquid fuel market; or
28
(b) requirements for a liquid fuel storage facility to be critical to
29
ensuring the security and reliability of a liquid fuel market.
30
12B Meaning of
critical freight infrastructure asset
31
(1) An asset is a
critical freight infrastructure asset
if it is any of the
32
following:
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
33
(a) a road network that, in accordance with subsection (2),
1
functions as a critical corridor for the transportation of goods
2
between:
3
(i) 2 States; or
4
(ii) a State and a Territory; or
5
(iii) 2 Territories; or
6
(iv) 2 regional centres;
7
(b) a rail network that, in accordance with subsection (3),
8
functions as a critical corridor for the transportation of goods
9
between:
10
(i) 2 States; or
11
(ii) a State and a Territory; or
12
(iii) 2 Territories; or
13
(iv) 2 regional centres;
14
(c) an intermodal transfer facility that, in accordance with
15
subsection (4), is critical to the transportation of goods
16
between:
17
(i) 2 States; or
18
(ii) a State and a Territory; or
19
(iii) 2 Territories; or
20
(iv) 2 regional centres.
21
Note:
The rules may prescribe that a specified critical freight infrastructure
22
asset is not a critical infrastructure asset (see section 9).
23
(2) For the purposes of paragraph (1)(a), the rules may prescribe:
24
(a) specified road networks that function as a critical corridor for
25
the transportation of goods between:
26
(i) 2 States; or
27
(ii) a State and a Territory; or
28
(iii) 2 Territories; or
29
(iv) 2 regional centres; or
30
(b) requirements for a road network to function as a critical
31
corridor for the transportation of goods between:
32
(i) 2 States; or
33
(ii) a State and a Territory; or
34
(iii) 2 Territories; or
35
(iv) 2 regional centres.
36
Schedule 1
Security of critical infrastructure
Part 1
General amendments
34
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(3) For the purposes of paragraph (1)(b), the rules may prescribe:
1
(a) specified rail networks that function as a critical corridor for
2
the transportation of goods between:
3
(i) 2 States; or
4
(ii) a State and a Territory; or
5
(iii) 2 Territories; or
6
(iv) 2 regional centres; or
7
(b) requirements for a rail network to function as a critical
8
corridor for the transportation of goods between:
9
(i) 2 States; or
10
(ii) a State and a Territory; or
11
(iii) 2 Territories; or
12
(iv) 2 regional centres.
13
(4) For the purposes of paragraph (1)(c), the rules may prescribe:
14
(a) specified intermodal transfer facilities that are critical to the
15
transportation of goods between:
16
(i) 2 States; or
17
(ii) a State and a Territory; or
18
(iii) 2 Territories; or
19
(iv) 2 regional centres; or
20
(b) requirements for an intermodal transfer facility to be critical
21
to the transportation of goods between:
22
(i) 2 States; or
23
(ii) a State and a Territory; or
24
(iii) 2 Territories; or
25
(iv) 2 regional centres.
26
(5) For the purposes of this section,
road network
includes a part of a
27
road network.
28
(6) For the purposes of this section,
rail network
includes a part of a
29
rail network.
30
12C Meaning of
critical freight services asset
31
(1) An asset is a
critical freight services asset
if it is a network that is
32
used by an entity carrying on a business that, in accordance with
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
35
subsection (2), is critical to the transportation of goods by any or
1
all of the following:
2
(a) road;
3
(b) rail;
4
(c) inland waters;
5
(d) sea.
6
Note:
The rules may prescribe that a specified critical freight services asset
7
is not a critical infrastructure asset (see section 9).
8
(2) For the purposes of subsection (1), the rules may prescribe:
9
(a) specified businesses that are critical to the transportation of
10
goods by any or all of the following:
11
(i) road;
12
(ii) rail;
13
(iii) inland waters;
14
(iv) sea; or
15
(b) requirements for a business to be critical to the transportation
16
of goods by any or all of the following:
17
(i) road;
18
(ii) rail;
19
(iii) inland waters;
20
(iv) sea.
21
12D Meaning of
critical financial market infrastructure asset
22
(1) An asset is a
critical financial market infrastructure asset
if it is
23
any of the following assets:
24
(a) an asset that:
25
(i) is owned or operated by an Australian body corporate
26
that holds an Australian market licence; and
27
(ii) is used in connection with the operation of a financial
28
market that, in accordance with subsection (2), is critical
29
to the security and reliability of the financial services
30
and markets sector;
31
(b) an asset that:
32
(i) is owned or operated by an associated entity of an
33
Australian body corporate that holds an Australian
34
market licence; and
35
Schedule 1
Security of critical infrastructure
Part 1
General amendments
36
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(ii) is used in connection with the operation of a financial
1
market that, in accordance with subsection (2), is critical
2
to the security and reliability of the financial services
3
and markets sector;
4
(c) an asset that:
5
(i) is owned or operated by an Australian body corporate
6
that holds an Australian CS facility licence; and
7
(ii) is used in connection with the operation of a clearing
8
and settlement facility that, in accordance with
9
subsection (3), is critical to the security and reliability of
10
the financial services and markets sector;
11
(d) an asset that:
12
(i) is owned or operated by an associated entity of an
13
Australian body corporate that holds an Australian CS
14
facility licence; and
15
(ii) is used in connection with the operation of a clearing
16
and settlement facility that, in accordance with
17
subsection (3), is critical to the security and reliability of
18
the financial services and markets sector;
19
(e) an asset that:
20
(i) is owned or operated by an Australian body corporate
21
that holds a benchmark administrator licence; and
22
(ii) is used in connection with the administration of a
23
significant financial benchmark that, in accordance with
24
subsection (4), is critical to the security and reliability of
25
the financial services and markets sector;
26
(f) an asset that:
27
(i) is owned or operated by an associated entity of an
28
Australian body corporate that holds a benchmark
29
administrator licence; and
30
(ii) is used in connection with the administration of a
31
significant financial benchmark that, in accordance with
32
subsection (4), is critical to the security and reliability of
33
the financial services and markets sector;
34
(g) an asset that:
35
(i) is owned or operated by an Australian body corporate
36
that holds an Australian derivative trade repository
37
licence; and
38
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
37
(ii) is used in connection with the operation of a derivative
1
trade repository that, in accordance with subsection (5),
2
is critical to the security and reliability of the financial
3
services and markets sector;
4
(h) an asset that:
5
(i) is owned or operated by an associated entity of an
6
Australian body corporate that holds an Australian
7
derivative trade repository licence; and
8
(ii) is used in connection with the operation of a derivative
9
trade repository that, in accordance with subsection (5),
10
is critical to the security and reliability of the financial
11
services and markets sector;
12
(i) an asset that is used in connection with the operation of a
13
payment system that, in accordance with subsection (6), is
14
critical to the security and reliability of the financial services
15
and markets sector.
16
Note:
The rules may prescribe that a specified critical financial market
17
infrastructure asset is not a critical infrastructure asset (see section 9).
18
(2) For the purposes of paragraphs (1)(a) and (b), the rules may
19
prescribe:
20
(a) specified financial markets that are critical to the security and
21
reliability of the financial services and markets sector; or
22
(b) requirements for a financial market to be critical to the
23
security and reliability of the financial services and markets
24
sector.
25
(3) For the purposes of paragraphs (1)(c) and (d), the rules may
26
prescribe:
27
(a) specified clearing and settlement facilities that are critical to
28
the security and reliability of the financial services and
29
markets sector; or
30
(b) requirements for a clearing and settlement facility to be
31
critical to the security and reliability of the financial services
32
and markets sector.
33
(4) For the purposes of paragraphs (1)(e) and (f), the rules may
34
prescribe:
35
Schedule 1
Security of critical infrastructure
Part 1
General amendments
38
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(a) specified significant financial benchmarks that are critical to
1
the security and reliability of the financial services and
2
markets sector; or
3
(b) requirements for a significant financial benchmark to be
4
critical to the security and reliability of the financial services
5
and markets sector.
6
(5) For the purposes of paragraphs (1)(g) and (h), the rules may
7
prescribe:
8
(a) specified derivative trade repositories that are critical to the
9
security and reliability of the financial services and markets
10
sector; or
11
(b) requirements for a derivative trade repository to be critical to
12
the security and reliability of the financial services and
13
markets sector.
14
(6) For the purposes of paragraph (1)(i), the rules may prescribe:
15
(a) specified payment systems that are critical to the security and
16
reliability of the financial services and markets sector; or
17
(b) requirements for a payment system to be critical to the
18
security and reliability of the financial services and markets
19
sector.
20
(7) For the purposes of this section,
Australian body corporate
means
21
a body corporate that is incorporated in Australia.
22
12E Meaning of
critical broadcasting asset
23
(1) One or more broadcasting transmission assets are a
critical
24
broadcasting asset
if:
25
(a) the broadcasting transmission assets are:
26
(i) owned or operated by the same entity; and
27
(ii) located on a site that, in accordance with subsection (2),
28
is a critical transmission site; or
29
(b) the broadcasting transmission assets are:
30
(i) owned or operated by the same entity; and
31
(ii) located on at least 50 different sites; and
32
(iii) not broadcasting re-transmission assets; or
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
39
(c) the broadcasting transmission assets are owned or operated
1
by an entity that, in accordance with subsection (3), is critical
2
to the transmission of a broadcasting service.
3
Note:
The rules may prescribe that a specified critical broadcasting asset is
4
not a critical infrastructure asset (see section 9).
5
(2) For the purposes of paragraph (1)(a), the rules may prescribe:
6
(a) specified sites that are critical transmission sites; or
7
(b) requirements for sites to be critical transmission sites.
8
(3) For the purposes of paragraph (1)(c), the rules may prescribe:
9
(a) specified entities that are critical to the transmission of a
10
broadcasting service; or
11
(b) requirements for an entity to be critical to the transmission of
12
a broadcasting service.
13
12F Meaning of
critical
data storage or processing asset
14
(1) An asset is a
critical data storage or processing asset
if:
15
(a) it is owned or operated by an entity that is a data storage or
16
processing provider; and
17
(b) it is used wholly or primarily to provide a data storage or
18
processing service that is provided by the entity on a
19
commercial basis to an end-user that is:
20
(i) the Commonwealth; or
21
(ii) a body corporate established by a law of the
22
Commonwealth; or
23
(iii) a State; or
24
(iv) a body corporate established by a law of a State; or
25
(v) a Territory; or
26
(vi) a body corporate established by a law of a Territory; and
27
(c) the entity knows that the asset is used as described in
28
paragraph (b).
29
Note:
The rules may prescribe that a specified critical data storage or
30
processing asset is not a critical infrastructure asset (see section 9).
31
(2) An asset is a
critical data storage or processing asset
if:
32
(a) it is owned or operated by an entity that is a data storage or
33
processing provider; and
34
Schedule 1
Security of critical infrastructure
Part 1
General amendments
40
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(b) it is used wholly or primarily to provide a data storage or
1
processing service that:
2
(i) is provided by the entity on a commercial basis to an
3
end-user that is the responsible entity for a critical
4
infrastructure asset; and
5
(ii) relates to business critical data; and
6
(c) the entity knows that the asset is used as described in
7
paragraph (b).
8
Note:
The rules may prescribe that a specified critical data storage or
9
processing asset is not a critical infrastructure asset (see section 9).
10
(3) If:
11
(a) an entity (the
first entity
) is the responsible entity for a
12
critical infrastructure asset; and
13
(b) the first entity becomes aware that a data storage or
14
processing service:
15
(i) is provided by another entity on a commercial basis to
16
the first entity; and
17
(ii) relates to business critical data;
18
the first entity must:
19
(c) take reasonable steps to inform that other entity that the first
20
entity has become aware that the data storage or processing
21
service:
22
(i) is provided by the other entity on a commercial basis to
23
the first entity; and
24
(ii) relates to business critical data; and
25
(d) do so as soon as practicable after becoming so aware.
26
Civil penalty for contravention of this subsection: 50 penalty
27
units.
28
12G Meaning of
critical banking asset
29
(1) An asset is a
critical banking asset
if it is any of the following
30
assets:
31
(a) an asset where the following conditions are satisfied:
32
(i) the asset is owned or operated by an authorised
33
deposit-taking institution;
34
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
41
(ii) the authorised deposit-taking institution is an authorised
1
deposit-taking institution that, in accordance with
2
subsection (2), is critical to the security and reliability of
3
the financial services and markets sector;
4
(iii) the asset is used in connection with the carrying on of
5
banking business;
6
(b) an asset where the following conditions are satisfied:
7
(i) the asset is owned or operated by a body corporate that
8
is a related body corporate of an authorised
9
deposit-taking institution;
10
(ii) the body corporate is a body corporate that, in
11
accordance with subsection (3), is critical to the security
12
and reliability of the financial services and markets
13
sector;
14
(iii) the asset is used in connection with the carrying on of
15
banking business.
16
Note:
The rules may prescribe that a specified critical banking asset is not a
17
critical infrastructure asset (see section 9).
18
(2) For the purposes of subparagraph (1)(a)(ii), the rules may
19
prescribe:
20
(a) specified authorised deposit-taking institutions that are
21
critical to the security and reliability of the financial services
22
and markets sector; or
23
(b) requirements for an authorised deposit-taking institution to
24
be critical to the security and reliability of the financial
25
services and markets sector.
26
(3) For the purposes of subparagraph (1)(b)(ii), the rules may
27
prescribe:
28
(a) specified bodies corporate that are critical to the security and
29
reliability of the financial services and markets sector; or
30
(b) requirements for a body corporate to be critical to the
31
security and reliability of the financial services and markets
32
sector.
33
12H Meaning of
critical insurance asset
34
(1) An asset is a
critical insurance asset
if it is any of the following
35
assets:
36
Schedule 1
Security of critical infrastructure
Part 1
General amendments
42
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(a) an asset where the following conditions are satisfied:
1
(i) the asset is owned or operated by an entity that carries
2
on insurance business;
3
(ii) the entity is an entity that, in accordance with
4
subsection (2), is critical to the security and reliability of
5
the financial services and markets sector;
6
(iii) the asset is used in connection with the carrying on of
7
insurance business;
8
(b) an asset where the following conditions are satisfied:
9
(i) the asset is owned or operated by a body corporate that
10
is a related body corporate of an entity that carries on
11
insurance business;
12
(ii) the body corporate is a body corporate that, in
13
accordance with subsection (3), is critical to the security
14
and reliability of the financial services and markets
15
sector;
16
(iii) the asset is used in connection with the carrying on of
17
insurance business;
18
(c) an asset where the following conditions are satisfied:
19
(i) the asset is owned or operated by an entity that carries
20
on life insurance business;
21
(ii) the entity is an entity that, in accordance with
22
subsection (4), is critical to the security and reliability of
23
the financial services and markets sector;
24
(iii) the asset is used in connection with the carrying on of
25
life insurance business;
26
(d) an asset where the following conditions are satisfied:
27
(i) the asset is owned or operated by a body corporate that
28
is a related body corporate of an entity that carries on
29
life insurance business;
30
(ii) the body corporate is a body corporate that, in
31
accordance with subsection (5), is critical to the security
32
and reliability of the financial services and markets
33
sector;
34
(iii) the asset is used in connection with the carrying on of
35
life insurance business;
36
(e) an asset where the following conditions are satisfied:
37
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
43
(i) the asset is owned or operated by an entity that carries
1
on health insurance business;
2
(ii) the entity is an entity that, in accordance with
3
subsection (6), is critical to the security and reliability of
4
the financial services and markets sector;
5
(iii) the asset is used in connection with the carrying on of
6
health insurance business;
7
(f) an asset where the following conditions are satisfied:
8
(i) the asset is owned or operated by a body corporate that
9
is a related body corporate of an entity that carries on
10
health insurance business;
11
(ii) the body corporate is a body corporate that, in
12
accordance with subsection (7), is critical to the security
13
and reliability of the financial services and markets
14
sector;
15
(iii) the asset is used in connection with the carrying on of
16
health insurance business.
17
Note:
The rules may prescribe that a specified critical insurance asset is not
18
a critical infrastructure asset (see section 9).
19
(2) For the purposes of subparagraph (1)(a)(ii), the rules may
20
prescribe:
21
(a) specified entities that are critical to the security and reliability
22
of the financial services and markets sector; or
23
(b) requirements for an entity to be critical to the security and
24
reliability of the financial services and markets sector.
25
(3) For the purposes of subparagraph (1)(b)(ii), the rules may
26
prescribe:
27
(a) specified bodies corporate that are critical to the security and
28
reliability of the financial services and markets sector; or
29
(b) requirements for a body corporate to be critical to the
30
security and reliability of the financial services and markets
31
sector.
32
(4) For the purposes of subparagraph (1)(c)(ii), the rules may
33
prescribe:
34
(a) specified entities that are critical to the security and reliability
35
of the financial services and markets sector; or
36
Schedule 1
Security of critical infrastructure
Part 1
General amendments
44
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(b) requirements for an entity to be critical to the security and
1
reliability of the financial services and markets sector.
2
(5) For the purposes of subparagraph (1)(d)(ii), the rules may
3
prescribe:
4
(a) specified bodies corporate that are critical to the security and
5
reliability of the financial services and markets sector; or
6
(b) requirements for a body corporate to be critical to the
7
security and reliability of the financial services and markets
8
sector.
9
(6) For the purposes of subparagraph (1)(e)(ii), the rules may
10
prescribe:
11
(a) specified entities that are critical to the security and reliability
12
of the financial services and markets sector; or
13
(b) requirements for an entity to be critical to the security and
14
reliability of the financial services and markets sector.
15
(7) For the purposes of subparagraph (1)(f)(ii), the rules may
16
prescribe:
17
(a) specified bodies corporate that are critical to the security and
18
reliability of the financial services and markets sector; or
19
(b) requirements for a body corporate to be critical to the
20
security and reliability of the financial services and markets
21
sector.
22
12J Meaning of
critical superannuation asset
23
(1) An asset is a
critical superannuation asset
if:
24
(a) it is owned or operated by a registrable superannuation entity
25
that, in accordance with subsection (2), is critical to the
26
security and reliability of the financial services and markets
27
sector; and
28
(b) it is used in connection with the operation of a
29
superannuation fund.
30
Note:
The rules may prescribe that a specified critical superannuation asset
31
is not a critical infrastructure asset (see section 9).
32
(2) For the purposes of paragraph (1)(a), the rules may prescribe:
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
45
(a) specified registrable superannuation entities that are critical
1
to the security and reliability of the financial services and
2
markets sector; or
3
(b) requirements for a registrable superannuation entity to be
4
critical to the security and reliability of the financial services
5
and markets sector.
6
12K Meaning of
critical food and grocery asset
7
(1) An asset is a
critical food and grocery asset
if it is a network that:
8
(a) is used for the distribution or supply of:
9
(i) food; or
10
(ii) groceries; and
11
(b) is owned or operated by an entity that is:
12
(i) a critical supermarket retailer, in accordance with
13
subsection (2); or
14
(ii) a critical food wholesaler, in accordance with
15
subsection (3); or
16
(iii) a critical grocery wholesaler, in accordance with
17
subsection (4).
18
Note:
The rules may prescribe that a specified critical food and grocery asset
19
is not a critical infrastructure asset (see section 9).
20
(2) For the purposes of subparagraph (1)(b)(i), the rules may prescribe:
21
(a) specified entities that are critical supermarket retailers; or
22
(b) requirements for an entity to be a critical supermarket
23
retailer.
24
(3) For the purposes of subparagraph (1)(b)(ii), the rules may
25
prescribe:
26
(a) specified entities that are critical food wholesalers; or
27
(b) requirements for an entity to be a critical food wholesaler.
28
(4) For the purposes of subparagraph (1)(b)(iii), the rules may
29
prescribe:
30
(a) specified entities that are critical grocery wholesalers; or
31
(b) requirements for an entity to be a critical grocery wholesaler.
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
46
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
12KA Meaning of
critical domain name system
1
(1) An asset is a
critical domain name system
if it:
2
(a) is managed by an entity that, in accordance with
3
subsection (2), is critical to the administration of an
4
Australian domain name system; and
5
(b) is used in connection with the administration of an Australian
6
domain name system.
7
Note:
The rules may prescribe that a specified critical domain name system
8
is not a critical infrastructure asset (see section 9).
9
(2) For the purposes of paragraph (1)(a), the rules may prescribe:
10
(a) specified entities that are critical to the administration of an
11
Australian domain name system; or
12
(b) requirements for an entity to be critical to the administration
13
of an Australian domain name system.
14
12L Meaning of
responsible entity
15
Critical telecommunications asset
16
(1) The responsible entity for a critical telecommunications asset is:
17
(a) whichever of the following is applicable:
18
(i) if the critical telecommunications asset is owned or
19
operated by a carrier--the carrier;
20
(ii) if the critical telecommunications asset is owned or
21
operated by a carriage service provider--the carriage
22
service provider; or
23
(b) if another entity is prescribed by the rules in relation to the
24
asset--that other entity.
25
Critical broadcasting asset
26
(2) The responsible entity for a critical broadcasting asset is:
27
(a) the entity referred to in whichever of the following
28
provisions is applicable:
29
(i) subparagraph 12E(1)(a)(i);
30
(ii) subparagraph 12E(1)(b)(i);
31
(iii) paragraph 12E(1)(c); or
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
47
(b) if another entity is prescribed by the rules in relation to the
1
asset--that other entity.
2
Critical domain name system
3
(3) The responsible entity for a critical domain name system is:
4
(a) the entity referred to in paragraph 12KA(1)(a); or
5
(b) if another entity is prescribed by the rules in relation to the
6
system--that other entity.
7
Critical data storage or processing asset
8
(4) The responsible entity for a critical data storage or processing asset
9
is:
10
(a) if the asset is covered by subsection 12F(1)--the entity
11
referred to in paragraph 12F(1)(a); or
12
(b) if the asset is covered by subsection 12F(2)--the entity
13
referred to in paragraph 12F(2)(a); or
14
(c) if another entity is prescribed by the rules in relation to the
15
asset--that other entity.
16
Critical banking asset
17
(5) The responsible entity for a critical banking asset is:
18
(a) if the asset is covered by paragraph 12G(1)(a)--the
19
authorised deposit-taking institution referred to in
20
subparagraph 12G(1)(a)(i); or
21
(b) if the asset is covered by paragraph 12G(1)(b)--the body
22
corporate referred to in subparagraph 12G(1)(b)(i); or
23
(c) if another entity is prescribed by the rules in relation to the
24
asset--that other entity.
25
Critical superannuation asset
26
(6) The responsible entity for a critical superannuation asset is:
27
(a) the registrable superannuation entity referred to in
28
subsection 12J(1); or
29
(b) if another entity is prescribed by the rules in relation to the
30
asset--that other entity.
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
48
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Critical insurance asset
1
(7) The responsible entity for a critical insurance asset is:
2
(a) if the asset is covered by paragraph 12H(1)(a)--the entity
3
referred to in
subparagraph 12H(1)(a)(i); or
4
(b) if the asset is covered by paragraph 12H(1)(b)--the body
5
corporate referred to in subparagraph 12H(1)(b)(i); or
6
(c) if the asset is covered by paragraph 12H(1)(c)--the entity
7
referred to in
subparagraph 12H(1)(c)(i); or
8
(d) if the asset is covered by paragraph 12H(1)(d)--the body
9
corporate referred to in
subparagraph 12H(1)(d)(i); or
10
(e) if the asset is covered by paragraph 12H(1)(e)--the entity
11
referred to in
subparagraph 12H(1)(e)(i); or
12
(f) if the asset is covered by paragraph 12H(1)(f)--the body
13
corporate referred to in
subparagraph 12H(1)(f)(i); or
14
(g) if another entity is prescribed by the rules in relation to the
15
asset--that other entity.
16
Critical financial market infrastructure asset
17
(8) The responsible entity for a critical financial market infrastructure
18
asset is:
19
(a) if the asset is covered by paragraph 12D(1)(a)--the body
20
corporate referred to in subparagraph 12D(1)(a)(i); or
21
(b) if the asset is covered by paragraph 12D(1)(b)--the
22
associated entity referred to in subparagraph 12D(1)(b)(i); or
23
(c) if the asset is covered by paragraph 12D(1)(c)--the body
24
corporate referred to in subparagraph 12D(1)(c)(i); or
25
(d) if the asset is covered by paragraph 12D(1)(d)--the
26
associated entity referred to in subparagraph 12D(1)(d)(i); or
27
(e) if the asset is covered by paragraph 12D(1)(e)--the body
28
corporate referred to in subparagraph 12D(1)(e)(i); or
29
(f) if the asset is covered by paragraph 12D(1)(f)--the
30
associated entity referred to in subparagraph 12D(1)(f)(i); or
31
(g) if the asset is covered by paragraph 12D(1)(g)--the body
32
corporate referred to in subparagraph 12D(1)(g)(i); or
33
(h) if the asset is covered by paragraph 12D(1)(h)--the
34
associated entity referred to in subparagraph 12D(1)(h)(i); or
35
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
49
(i) if the asset is covered by paragraph 12D(1)(i)--the entity
1
prescribed by the rules; or
2
(j) if another entity is prescribed by the rules in relation to the
3
asset--that other entity.
4
Critical water asset
5
(9) The responsible entity for a critical water asset is:
6
(a) the water utility that holds the licence, approval or
7
authorisation (however described), under a law of the
8
Commonwealth, a State or a Territory, to provide the service
9
to be delivered by the asset; or
10
(b) if another entity is prescribed by the rules in relation to the
11
asset--that other entity.
12
Critical electricity asset
13
(10) The responsible entity for a critical electricity asset is:
14
(a) the entity that holds the licence, approval or authorisation
15
(however described) to operate the asset to provide the
16
service to be delivered by the asset; or
17
(b) if another entity is prescribed by the rules in relation to the
18
asset--that other entity.
19
Critical gas asset
20
(11) The responsible entity for a critical gas asset is:
21
(a) the entity that holds the licence, approval or authorisation
22
(however described) to operate the asset to provide the
23
service to be delivered by the asset; or
24
(b) if another entity is prescribed by the rules in relation to the
25
asset--that other entity.
26
Critical energy market operator asset
27
(12) The responsible entity for a critical energy market operator asset is:
28
(a) if the asset is used by Australian Energy Market Operator
29
Limited (ACN 072 010 327)--that company; or
30
(b) if the asset is used by Power and Water Corporation--that
31
corporation; or
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
50
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(c) if the asset is used by Regional Power Corporation--that
1
corporation; or
2
(d) if the asset is used by Electricity Networks Corporation--that
3
corporation; or
4
(e) if another entity is prescribed by the rules in relation to the
5
asset--that other entity.
6
Critical liquid fuel asset
7
(13) The responsible entity for a critical liquid fuel asset is:
8
(a) if the asset is a liquid fuel refinery--the entity that operates
9
the liquid fuel refinery; or
10
(b) if the asset is a liquid fuel pipeline--the entity that operates
11
the liquid fuel pipeline; or
12
(c) if the asset is a liquid fuel storage facility--the entity that
13
operates the liquid fuel storage facility; or
14
(d) if another entity is prescribed by the rules in relation to the
15
asset--that other entity.
16
Critical hospital
17
(14) The responsible entity for a critical hospital is:
18
(a) if the critical hospital is a public hospital--the local hospital
19
network that operates the hospital; or
20
(b) if the critical hospital is a private hospital--the entity that
21
holds the licence, approval or authorisation (however
22
described), under a law of a State or a Territory to operate the
23
hospital; or
24
(c) if another entity is prescribed by the rules in relation to the
25
hospital--that other entity.
26
Critical education asset
27
(15) The responsible entity for a critical education asset is:
28
(a) the entity referred to in the definition of
critical education
29
asset
in section 5; or
30
(b) if another entity is prescribed by the rules in relation to the
31
asset--that other entity.
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
51
Critical food and grocery asset
1
(16) The responsible entity for a critical food and grocery asset is:
2
(a) the entity referred to in paragraph 12K(1)(b); or
3
(b) if another entity is prescribed by the rules in relation to the
4
asset--that other entity.
5
Critical port
6
(17) The responsible entity for a critical port is:
7
(a) the port operator (within the meaning of the
Maritime
8
Transport and Offshore Facilities Security Act 2003
) of the
9
port; or
10
(b) if another entity is prescribed by the rules in relation to the
11
port--that other entity.
12
Critical freight infrastructure asset
13
(18) The responsible entity for a critical freight infrastructure asset is:
14
(a) if the Commonwealth is responsible for the management of
15
the asset--the Commonwealth; or
16
(b) if a State is responsible for the management of the asset--the
17
State; or
18
(c) if a Territory is responsible for the management of the
19
asset--the Territory; or
20
(d) if a body is:
21
(i) established by a law of the Commonwealth, a State or a
22
Territory; and
23
(ii) responsible for the management of the asset;
24
that body; or
25
(e) if none of paragraphs (a), (b), (c), (d) and (e) apply--the
26
entity prescribed by the rules in relation to the asset; or
27
(f) if another entity is prescribed by the rules in relation to the
28
asset--that other entity.
29
Critical freight services asset
30
(19) The responsible entity for a critical freight services asset is:
31
(a) the entity referred to in subsection 12C(1); or
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
52
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(b) if another entity is prescribed by the rules in relation to the
1
asset--that other entity.
2
Critical public transport asset
3
(20) The responsible entity for a critical public transport asset is:
4
(a) the entity referred to in paragraph (a) of the definition of
5
critical public transport asset
in section 5; or
6
(b) if another entity is prescribed by the rules in relation to the
7
asset--that other entity.
8
Critical aviation asset
9
(21) The responsible entity for a critical aviation asset is:
10
(a) if the asset is:
11
(i) used in connection with the provision of an air service;
12
and
13
(ii) owned or operated by an aircraft operator;
14
the aircraft operator; or
15
(b) if the asset is:
16
(i) used in connection with the provision of an air service;
17
and
18
(ii) owned or operated by a regulated air cargo agent;
19
the regulated air cargo agent; or
20
(c) if the asset is used by an airport operator in connection with
21
the operation of an airport--the airport operator; or
22
(d) if another entity is prescribed by the rules in relation to the
23
asset--that other entity.
24
Critical defence industry asset
25
(22) The responsible entity for a critical defence industry asset is:
26
(a) the entity referred to in paragraph (a) of the definition of
27
critical defence industry asset
; or
28
(b) if another entity is prescribed by the rules in relation to the
29
asset--that other entity.
30
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
53
Assets prescribed by the rules
1
(23) The responsible entity for an asset prescribed by the rules in
2
relation to the asset for the purposes of paragraph 9(1)(f) is the
3
entity specified in the rules.
4
Assets declared to be a critical infrastructure asset
5
(24) The responsible entity for an asset declared under section 51 to be
6
a critical infrastructure asset is the entity specified in the
7
declaration as the responsible entity for the asset (see
8
subsection 51(2)).
9
System of national significance
10
(25) If a critical infrastructure asset is a system of national significance,
11
the responsible entity for the system of national significance is the
12
responsible entity for the asset.
13
12M Meaning of
cyber security incident
14
A
cyber security incident
is one or more acts, events or
15
circumstances involving any of the following:
16
(a) unauthorised access to:
17
(i) computer data; or
18
(ii) a computer program;
19
(b) unauthorised modification of:
20
(i) computer data; or
21
(ii) a computer program;
22
(c) unauthorised impairment of electronic communication to or
23
from a computer;
24
(d) unauthorised impairment of the availability, reliability,
25
security or operation of:
26
(i) a computer; or
27
(ii) computer data; or
28
(iii) a computer program.
29
12N Meaning of
unauthorised access, modification or impairment
30
(1) For the purposes of this Act:
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
54
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(a) access to:
1
(i) computer data; or
2
(ii) a computer program; or
3
(b) modification of:
4
(i) computer data; or
5
(ii) a computer program; or
6
(c) the impairment of electronic communication to or from a
7
computer; or
8
(d) the impairment of the availability, reliability, security or
9
operation of:
10
(i) a computer; or
11
(ii) computer data; or
12
(iii) a computer program;
13
by a person is unauthorised if the person is not entitled to cause
14
that access, modification or impairment.
15
(2) For the purposes of subsection (1), it is immaterial whether the
16
person can be identified.
17
(3) For the purposes of subsection (1), if:
18
(a) a person causes any access, modification or impairment of a
19
kind mentioned in that subsection; and
20
(b) the person does so:
21
(i) under a warrant issued under a law of the
22
Commonwealth, a State or a Territory; or
23
(ii) under an emergency authorisation given to the person
24
under Part 3 of the
Surveillance Devices Act 2004
or
25
under a law of a State or Territory that makes provision
26
to similar effect; or
27
(iii) under a tracking device authorisation given to the
28
person under section 39 of the
Surveillance Devices Act
29
2004
; or
30
(iv) in accordance with a technical assistance request; or
31
(v) in compliance with a technical assistance notice; or
32
(vi) in compliance with a technical capability notice;
33
the person is entitled to cause that access, modification or
34
impairment.
35
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
55
12P Examples of responding to a cyber security incident
1
The following are examples of responding to a cyber security
2
incident:
3
(a) if the incident is imminent--preventing the incident;
4
(b) mitigating a relevant impact of the incident on:
5
(i) a critical infrastructure asset; or
6
(ii) a critical infrastructure sector asset;
7
(c) if a critical infrastructure asset or a critical infrastructure
8
sector asset has been, or is being, affected by the incident--
9
restoring the functionality of the asset.
10
33 Paragraph 13(1)(b)
11
Omit "that is a reporting entity for,", insert ", so far as the entity is the
12
responsible entity for, a reporting entity for, a relevant entity for,".
13
34 At the end of paragraph 13(1)(b)
14
Add:
15
or (iv) used in the course of, or in relation to, banking to which
16
paragraph 51(xiii) of the Constitution applies; or
17
(v) used in the course of, or in relation to, insurance to
18
which paragraph 51(xiv) of the Constitution applies; or
19
(vi) used to supply a carriage service; or
20
(vii) used in connection with the provision of a broadcasting
21
service; or
22
(viii) used to administer a domain name system;
23
35 Subsection 13(2)
24
Omit "also applies", substitute "and section 60AA (acquisition of
25
property) also apply".
26
36 Division 1 of Part 2 (heading)
27
Omit "
Simplified outline of this Part
", substitute "
Introduction
".
28
37 At the end of section 18
29
Add:
30
Note:
See also section 18A (application of this Part).
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
56
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
38 At the end of Division 1 of Part 2
1
Add:
2
18A Application of this Part
3
(1) This Part applies to a critical infrastructure asset if:
4
(a) the asset is specified in the rules; or
5
(b) both:
6
(i) the asset is the subject of a declaration under section 51;
7
and
8
(ii) the declaration determines that this Part applies to the
9
asset; or
10
(c) immediately before the commencement of this section, the
11
asset was a critical infrastructure asset (within the meaning of
12
this Act as in force immediately before that commencement).
13
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
14
2003
.
15
(2) Subsection (1) has effect subject to subsection (3).
16
(3) The rules may provide that, if an asset becomes a critical
17
infrastructure asset, this Part does not apply to the asset during the
18
period:
19
(a) beginning when the asset became a critical infrastructure
20
asset; and
21
(b) ending at a time ascertained in accordance with the rules.
22
18AA Consultation--rules
23
Scope
24
(1) This section applies to rules made for the purposes of section 18A.
25
Consultation
26
(2) Before making or amending the rules, the Minister must:
27
(a) cause to be published on the Department's website a notice:
28
(i) setting out the draft rules or amendments; and
29
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
57
(ii) inviting persons to make submissions to the Minister
1
about the draft rules or amendments within 28 days after
2
the notice is published; and
3
(b) give a copy of the notice to each First Minister; and
4
(c) consider any submissions received within the 28-day period
5
mentioned in paragraph (a).
6
39 After Part 2
7
Insert:
8
Part 2A--Critical infrastructure risk management
9
programs
10
11
30AA Simplified outline of this Part
12
•
The responsible entity for one or more critical infrastructure
13
assets must have, and comply with, a critical infrastructure
14
risk management program.
15
•
The purpose of a critical infrastructure risk management
16
program is to do the following for each of those assets:
17
(a)
identify each hazard where there is a material risk that
18
the occurrence of the hazard could have a relevant
19
impact on the asset;
20
(b)
so far as it is reasonably possible to do so--minimise or
21
eliminate any material risk of such a hazard occurring;
22
(c)
mitigate the relevant impact of such a hazard on the
23
asset.
24
•
A responsible entity must give an annual report relating to its
25
critical infrastructure risk management program. If the entity
26
has a board, council or other governing body, the annual
27
report must be approved by the board, council or other
28
governing body.
29
Note:
See also section 30AB (application of this Part).
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
58
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
30AB Application of this Part
1
(1) This Part applies to a critical infrastructure asset if:
2
(a) the asset is specified in the rules; or
3
(b) both:
4
(i) the asset is the subject of a declaration under section 51;
5
and
6
(ii) the declaration determines that this Part applies to the
7
asset.
8
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
9
2003
.
10
(2) Subsection (1) has effect subject to subsection (3).
11
(3) The rules may provide that, if an asset becomes a critical
12
infrastructure asset, this Part does not apply to the asset during the
13
period:
14
(a) beginning when the asset became a critical infrastructure
15
asset; and
16
(b) ending at a time ascertained in accordance with the rules.
17
30ABA Consultation--rules
18
Scope
19
(1) This section applies to rules made for the purposes of
20
section 30AB.
21
Consultation
22
(2) Before making or amending the rules, the Minister must:
23
(a) cause to be published on the Department's website a notice:
24
(i) setting out the draft rules or amendments; and
25
(ii) inviting persons to make submissions to the Minister
26
about the draft rules or amendments within 28 days after
27
the notice is published; and
28
(b) give a copy of the notice to each First Minister; and
29
(c) consider any submissions received within the 28-day period
30
mentioned in paragraph (a).
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
59
30AC Responsible entity must have a critical infrastructure risk
1
management program
2
If an entity is the responsible entity for one or more critical
3
infrastructure assets, the entity must:
4
(a) adopt; and
5
(b) maintain;
6
a critical infrastructure risk management program that applies to
7
the entity.
8
Civil penalty:
200 penalty units.
9
30AD Compliance with critical infrastructure risk management
10
program
11
If:
12
(a) an entity is the responsible entity for one or more critical
13
infrastructure assets; and
14
(b) the entity has adopted a critical infrastructure risk
15
management program that applies to the entity;
16
the entity must comply with:
17
(c) the critical infrastructure risk management program; or
18
(d) if the program has been varied on one or more occasions--
19
the program as varied.
20
Civil penalty:
200 penalty units.
21
30AE Review of critical infrastructure risk management program
22
If:
23
(a) an entity is the responsible entity for one or more critical
24
infrastructure assets; and
25
(b) the entity has adopted a critical infrastructure risk
26
management program that applies to the entity;
27
the entity must review the program on a regular basis.
28
Civil penalty:
200 penalty units.
29
Schedule 1
Security of critical infrastructure
Part 1
General amendments
60
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
30AF Update of critical infrastructure risk management program
1
If:
2
(a) an entity is the responsible entity for one or more critical
3
infrastructure assets; and
4
(b) the entity has adopted a critical infrastructure risk
5
management program that applies to the entity;
6
the entity must take all reasonable steps to ensure that the program
7
is up to date.
8
Civil penalty:
200 penalty units.
9
30AG Responsible entity must submit annual report
10
Scope
11
(1) This section applies if, during a period (the
relevant period
) that
12
consists of the whole or a part of a financial year:
13
(a) an entity was the responsible entity for one or more critical
14
infrastructure assets; and
15
(b) the entity had a critical infrastructure risk management
16
program that applied to the entity.
17
Annual report
18
(2) The entity must, within 90 days after the end of the financial year,
19
give:
20
(a) if there is a relevant Commonwealth regulator that has
21
functions relating to the security of those assets--the relevant
22
Commonwealth regulator; or
23
(b) in any other case--the Secretary;
24
a report that:
25
(c) if the entity had the program at the end of the financial
26
year--includes whichever of the following statements is
27
applicable:
28
(i) if the program was up to date at the end of the financial
29
year--a statement to that effect;
30
(ii) if the program was not up to date at the end of the
31
financial year--a statement to that effect; and
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
61
(d) if a hazard had a significant relevant impact on one or more
1
of those assets during the relevant period--includes a
2
statement that:
3
(i) identifies the hazard; and
4
(ii) evaluates the effectiveness of the program in mitigating
5
the significant relevant impact of the hazard on the
6
assets concerned; and
7
(iii) if the program was varied during the financial year as a
8
result of the occurrence of the hazard--outlines the
9
variation; and
10
(e) is in the approved form; and
11
(f) if the entity has a board, council or other governing body--is
12
approved by the board, council or other governing body, as
13
the case requires.
14
Civil penalty:
150 penalty units.
15
(3) A report given by an entity under subsection (2) is not admissible
16
in evidence against the entity in civil proceedings relating to a
17
contravention of a civil penalty provision of this Act.
18
30AH Critical infrastructure risk management program
19
(1) A
critical infrastructure risk management program
is a written
20
program:
21
(a) that applies to a particular entity that is the responsible entity
22
for one or more critical infrastructure assets; and
23
(b) the purpose of which is to do the following for each of those
24
assets:
25
(i) identify each hazard where there is a material risk that
26
the occurrence of the hazard could have a relevant
27
impact on the asset;
28
(ii) so far as it is reasonably possible to do so--minimise or
29
eliminate any material risk of such a hazard occurring;
30
(iii) mitigate the relevant impact of such a hazard on the
31
asset; and
32
(c) that complies with such requirements (if any) as are specified
33
in the rules.
34
(2) Requirements specified under paragraph (1)(c):
35
Schedule 1
Security of critical infrastructure
Part 1
General amendments
62
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(a) may be of general application; or
1
(b) may relate to one or more specified critical infrastructure
2
assets.
3
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
4
2003
.
5
(3) Subsection (2) of this section does not, by implication, limit
6
subsection 33(3A) of the
Acts Interpretation Act 1901
.
7
(4) Rules made for the purposes of paragraph (1)(c) may require that a
8
critical infrastructure risk management program include provisions
9
that require background checks of individuals to be conducted
10
under the AusCheck scheme.
11
(5) Subsection (4) does not limit paragraph (1)(c).
12
(6) In specifying requirements in rules made for the purposes of
13
paragraph (1)(c), the Minister must have regard to the following
14
matters:
15
(a) any existing regulatory system of the Commonwealth, a State
16
or a Territory that imposes obligations on responsible
17
entities;
18
(b) the costs that are likely to be incurred by responsible entities
19
in complying with those rules;
20
(c) the reasonableness and proportionality of the requirements in
21
relation to the purpose referred to in paragraph (1)(b);
22
(d) such other matters (if any) as the Minister considers relevant.
23
(7) For the purposes of this section, in determining whether a risk is a
24
material risk, regard must be had to:
25
(a) the likelihood of the hazard occurring; and
26
(b) the relevant impact of the hazard on the asset if the hazard
27
were to occur.
28
(8) The rules may provide that a specified risk is taken to be a material
29
risk for the purposes of this section.
30
(9) The rules may provide that the taking of specified action in relation
31
to a critical infrastructure asset is taken to be action that minimises
32
or eliminates any material risk that the occurrence of a specified
33
hazard could have a relevant impact on the asset.
34
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
63
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
1
2003
.
2
(10) The rules may provide that the taking of specified action in relation
3
to a specified critical infrastructure asset is taken to be action that
4
minimises or eliminates any material risk that the occurrence of a
5
specified hazard could have a relevant impact on the asset.
6
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
7
2003
.
8
(11) The rules may provide that the taking of specified action in relation
9
to a critical infrastructure asset is taken to be action that mitigates
10
the relevant impact of a specified hazard on the asset.
11
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
12
2003
.
13
(12) The rules may provide that the taking of specified action in relation
14
to a specified critical infrastructure asset is taken to be action that
15
mitigates the relevant impact of a specified hazard on the asset.
16
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
17
2003
.
18
30AJ Variation of critical infrastructure risk management program
19
A critical infrastructure risk management program may be varied,
20
so long as the varied program is a critical infrastructure risk
21
management program.
22
30AK Revocation of adoption of critical infrastructure risk
23
management program
24
If an entity has adopted a critical infrastructure risk management
25
program that applies to the entity, this Part does not prevent the
26
entity from:
27
(a) revoking that adoption; and
28
(b) adopting another critical infrastructure risk management
29
program that applies to the entity.
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
64
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
30AL Consultation--rules
1
Scope
2
(1) This section applies to rules made for the purposes of
3
section 30AH.
4
Consultation
5
(2) Before making or amending the rules, the Minister must:
6
(a) cause to be published on the Department's website a notice:
7
(i) setting out the draft rules or amendments; and
8
(ii) inviting persons to make submissions to the Minister
9
about the draft rules or amendments within 28 days after
10
the notice is published; and
11
(b) give a copy of the notice to each First Minister; and
12
(c) consider any submissions received within the 28-day period
13
mentioned in paragraph (a).
14
(3) Subsection (2) does not apply if:
15
(a) the Minister is satisfied that there is an imminent threat that a
16
hazard will have a significant relevant impact on a critical
17
infrastructure asset; or
18
(b) the Minister is satisfied that a hazard has had, or is having, a
19
significant relevant impact on a critical infrastructure asset.
20
Note:
See also section 30AM (review of rules).
21
30AM Review of rules
22
Scope
23
(1) This section applies if, because of subsection 30AL(3),
24
subsection 30AL(2) did not apply to the making of:
25
(a) rules; or
26
(b) amendments.
27
Review of rules
28
(2) The Secretary must:
29
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
65
(a) if paragraph (1)(a) applies--review the operation,
1
effectiveness and implications of the rules; and
2
(b) if paragraph (1)(b) applies--review the operation,
3
effectiveness and implications of the amendments; and
4
(c) without limiting paragraph (a) or (b), consider whether any
5
amendments should be made; and
6
(d) give the Minister:
7
(i) a report of the review; and
8
(ii) a statement setting out the Secretary's findings.
9
(3) For the purposes of the review, the Secretary must:
10
(a) cause to be published on the Department's website a notice:
11
(i) setting out the rules or amendments concerned; and
12
(ii) inviting persons to make submissions to the Secretary
13
about the rules or amendments concerned within 28
14
days after the notice is published; and
15
(b) give a copy of the notice to each First Minister; and
16
(c) consider any submissions received within the 28-day period
17
mentioned in paragraph (a).
18
(4) The Secretary must complete the review within 60 days after the
19
commencement of the rules or amendments concerned.
20
Minister to table statement of findings
21
(5) The Minister must cause a copy of the statement of findings to be
22
tabled in each House of the Parliament within 15 sitting days of
23
that House after the Minister receives it.
24
30AN Application, adoption or incorporation of a law of a State or
25
Territory etc.
26
Scope
27
(1) This section applies to rules made for the purposes of
28
section 30AH.
29
Schedule 1
Security of critical infrastructure
Part 1
General amendments
66
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Application, adoption or incorporation of a law of a State or
1
Territory
2
(2) Despite subsection 14(2) of the
Legislation Act 2003
, the rules may
3
make provision in relation to a matter by applying, adopting or
4
incorporating, with or without modification, any matter contained
5
in a law of a State or Territory as in force or existing from time to
6
time.
7
Application, adoption or incorporation of a standard
8
(3) Despite subsection 14(2) of the
Legislation Act 2003
, the rules may
9
make provision in relation to a matter by applying, adopting or
10
incorporating, with or without modification, any matter contained
11
in a standard proposed or approved by Standards Australia as in
12
force or existing from time to time.
13
Note:
The expression
Standards Australia
is defined in section 2B of the
14
Acts Interpretation Act 1901
.
15
Part 2B--Notification of cyber security incidents
16
17
30BA Simplified outline of this Part
18
If a cyber security incident has a relevant impact on a critical
19
infrastructure asset, the responsible entity for the asset may be
20
required to give a relevant Commonwealth body a report about the
21
incident.
22
Note:
See also section 30BB (application of this Part).
23
30BB Application of this Part
24
(1) This Part applies to a critical infrastructure asset if:
25
(a) the asset is specified in the rules; or
26
(b) both:
27
(i) the asset is the subject of a declaration under section 51;
28
and
29
(ii) the declaration determines that this Part applies to the
30
asset.
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
67
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
1
2003
.
2
(2) Subsection (1) has effect subject to subsection (3).
3
(3) The rules may provide that, if an asset becomes a critical
4
infrastructure asset, this Part does not apply to the asset during the
5
period:
6
(a) beginning when the asset became a critical infrastructure
7
asset; and
8
(b) ending at a time ascertained in accordance with the rules.
9
30BBA Consultation--rules
10
Scope
11
(1) This section applies to rules made for the purposes of
12
section 30BB.
13
Consultation
14
(2) Before making or amending the rules, the Minister must:
15
(a) cause to be published on the Department's website a notice:
16
(i) setting out the draft rules or amendments; and
17
(ii) inviting persons to make submissions to the Minister
18
about the draft rules or amendments within 28 days after
19
the notice is published; and
20
(b) give a copy of the notice to each First Minister; and
21
(c) consider any submissions received within the 28-day period
22
mentioned in paragraph (a).
23
30BC Notification of critical cyber security incidents
24
(1) If:
25
(a) an entity is the responsible entity for a critical infrastructure
26
asset; and
27
(b) the entity becomes aware that:
28
(i) a cyber security incident has occurred or is occurring;
29
and
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
68
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(ii) the incident has had, or is having, a significant impact
1
(whether direct or indirect) on the availability of the
2
asset;
3
the entity must:
4
(c) give the relevant Commonwealth body (see section 30BF) a
5
report that:
6
(i) is about the incident; and
7
(ii) includes such information (if any) as is prescribed by
8
the rules; and
9
(d) do so as soon as practicable, and in any event within 12
10
hours, after the entity becomes so aware.
11
Civil penalty:
50 penalty units.
12
Form of report etc.
13
(2) A report under subsection (1) may be given:
14
(a) orally; or
15
(b) in writing.
16
(3) If a report under subsection (1) is given orally, the entity must:
17
(a) do both of the following:
18
(i) make a written record of the report in the approved
19
form;
20
(ii) give a copy of the written record of the report to the
21
relevant Commonwealth body (see section 30BF); and
22
(b) do so within 48 hours after the report is given.
23
Civil penalty:
50 penalty units.
24
(4) If the report is given in writing, the entity must ensure that the
25
report is in the approved form.
26
Civil penalty:
50 penalty units.
27
30BD Notification of other cyber security incidents
28
(1) If:
29
(a) an entity is the responsible entity for a critical infrastructure
30
asset; and
31
(b) the entity becomes aware that:
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
69
(i) a cyber security incident has occurred, is occurring or is
1
imminent; and
2
(ii) the incident has had, is having, or is likely to have, a
3
relevant impact on the asset;
4
the entity must:
5
(c) give the relevant Commonwealth body (see section 30BF) a
6
report that:
7
(i) is about the incident; and
8
(ii) includes such information (if any) as is prescribed by
9
the rules; and
10
(d) do so as soon as practicable, and in any event within 72
11
hours, after the entity becomes so aware.
12
Civil penalty:
50 penalty units.
13
Form of report etc.
14
(2) A report under subsection (1) may be given:
15
(a) orally; or
16
(b) in writing.
17
(3) If a report under subsection (1) is given orally, the entity must:
18
(a) do both of the following:
19
(i) make a written record of the report in the approved
20
form;
21
(ii) give a copy of the written record of the report to the
22
relevant Commonwealth body (see section 30BF); and
23
(b) do so within 48 hours after the report is given.
24
Civil penalty:
50 penalty units.
25
(4) If the report is given in writing, the entity must ensure that the
26
report is in the approved form.
27
Civil penalty:
50 penalty units.
28
30BE Liability
29
(1) An entity is not liable to an action or other proceeding for damages
30
for or in relation to an act done or omitted in good faith in
31
compliance with section 30BC or section 30BD.
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
70
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(2) An officer, employee or agent of an entity is not liable to an action
1
or other proceeding for damages for or in relation to an act done or
2
omitted in good faith in connection with an act done or omitted by
3
the entity as mentioned in subsection (1).
4
30BF Relevant Commonwealth body
5
For the purposes of this Part,
relevant Commonwealth body
6
means:
7
(a) a Department that is specified in the rules; or
8
(b) a body that is:
9
(i) established by a law of the Commonwealth; and
10
(ii) specified in the rules; or
11
(c) if:
12
(i) no rules are in force for the purposes of paragraph (a);
13
and
14
(ii) no rules are in force for the purposes of paragraph (b);
15
ASD.
16
Part 2C--Enhanced cyber security obligations
17
Division 1--Simplified outline of this Part
18
30CA Simplified outline of this Part
19
•
This Part sets out enhanced cyber security obligations that
20
relate to systems of national significance.
21
•
The responsible entity for a system of national significance
22
may be subject to statutory incident response planning
23
obligations.
24
•
The responsible entity for a system of national significance
25
may be required to undertake a cyber security exercise.
26
•
The responsible entity for a system of national significance
27
may be required to undertake a vulnerability assessment.
28
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
71
•
If a computer is a system of national significance, or is needed
1
to operate a system of national significance, a relevant entity
2
for the system may be required to:
3
(a)
give ASD periodic reports of system information; or
4
(b)
give ASD event-based reports of system information; or
5
(c)
install software that transmits system information to
6
ASD.
7
Note:
For declaration of a system of national significance, see section 52B.
8
Division 2--Statutory incident response planning
9
obligations
10
Subdivision A--Application of statutory incident response
11
planning obligations
12
30CB Application of statutory incident response planning
13
obligations--determination by the Secretary
14
(1) The Secretary may, by written notice given to an entity that is the
15
responsible entity for a system of national significance, determine
16
that the statutory incident response planning obligations apply to
17
the entity in relation to:
18
(a) the system; and
19
(b) cyber security incidents.
20
(2) A determination under this section takes effect at the time specified
21
in the determination.
22
(3) The specified time must not be earlier than the end of the 30-day
23
period that began when the notice was given.
24
(4) Before giving a notice to an entity under this section in relation to a
25
system of national significance, the Secretary must consult:
26
(a) the entity; and
27
(b) if there is a relevant Commonwealth regulator that has
28
functions relating to the security of that system--the relevant
29
Commonwealth regulator.
30
(5) A determination under this section is not a legislative instrument.
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
72
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
30CC Revocation of determination
1
Scope
2
(1) This section applies if:
3
(a) a determination is in force under section 30CB; and
4
(b) notice of the determination was given to a particular entity.
5
Power to revoke determination
6
(2) The Secretary may, by written notice given to the entity, revoke the
7
determination.
8
Application of Acts Interpretation Act 1901
9
(3) This section does not, by implication, affect the application of
10
subsection 33(3) of the
Acts Interpretation Act 1901
to an
11
instrument made under a provision of this Act (other than this
12
Division).
13
Subdivision B--Statutory incident response planning
14
obligations
15
30CD Responsible entity must have an incident response plan
16
If:
17
(a) an entity is the responsible entity for a system of national
18
significance; and
19
(b) the statutory incident response planning obligations apply to
20
the entity in relation to:
21
(i) the system; and
22
(ii) cyber security incidents;
23
the entity must:
24
(c) adopt; and
25
(d) maintain;
26
an incident response plan that applies to the entity in relation to:
27
(e) the system; and
28
(f) cyber security incidents.
29
Civil penalty:
200 penalty units.
30
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
73
30CE Compliance with incident response plan
1
If:
2
(a) an entity is the responsible entity for a system of national
3
significance; and
4
(b) the entity has adopted an incident response plan that applies
5
to the entity;
6
the entity must comply with:
7
(c) the incident response plan; or
8
(d) if the plan has been varied on one or more occasions--the
9
plan as varied.
10
Civil penalty:
200 penalty units.
11
30CF Review of incident response plan
12
If:
13
(a) an entity is the responsible entity for a system of national
14
significance; and
15
(b) the entity has adopted an incident response plan that applies
16
to the entity;
17
the entity must review the plan on a regular basis.
18
Civil penalty:
200 penalty units.
19
30CG Update of incident response plan
20
If:
21
(a) an entity is the responsible entity for a system of national
22
significance; and
23
(b) the entity has adopted an incident response plan that applies
24
to the entity;
25
the entity must take all reasonable steps to ensure that the plan is
26
up to date.
27
Civil penalty:
200 penalty units.
28
30CH Copy of incident response plan must be given to the Secretary
29
(1) If:
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
74
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(a) an entity is the responsible entity for a system of national
1
significance; and
2
(b) the entity adopts an incident response plan that applies to the
3
entity;
4
the entity must:
5
(c) provide a copy of the incident response plan to the Secretary;
6
and
7
(d) do so as soon as practicable after the adoption.
8
Civil penalty:
200 penalty units.
9
(2) If:
10
(a) an entity is the responsible entity for a system of national
11
significance; and
12
(b) the entity varies an incident response plan that applies to the
13
entity;
14
the entity must:
15
(c) provide a copy of the varied incident response plan to the
16
Secretary; and
17
(d) do so as soon as practicable after the variation.
18
Civil penalty:
200 penalty units.
19
30CJ Incident response plan
20
(1) An
incident response plan
is a written plan:
21
(a) that applies to an entity that is the responsible entity for a
22
system of national significance; and
23
(b) that relates to the system; and
24
(c) that relates to cyber security incidents; and
25
(d) the purpose of which is to plan for responding to cyber
26
security incidents that could have a relevant impact on the
27
system; and
28
(e) that complies with such requirements (if any) as are specified
29
in the rules.
30
(2) Requirements specified under paragraph (1)(e):
31
(a) may be of general application; or
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
75
(b) may relate to one or more specified systems of national
1
significance; or
2
(c) may relate to one or more specified types of cyber security
3
incidents.
4
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
5
2003
.
6
(3) Subsection (2) of this section does not, by implication, limit
7
subsection 33(3A) of the
Acts Interpretation Act 1901
.
8
30CK Variation of incident response plan
9
An incident response plan may be varied, so long as the varied plan
10
is an incident response plan.
11
30CL Revocation of adoption of incident response plan
12
If an entity has adopted an incident response plan that applies to
13
the entity, this Division does not prevent the entity from:
14
(a) revoking that adoption; and
15
(b) adopting another incident response plan that applies to the
16
entity.
17
Division 3--Cyber security exercises
18
30CM Requirement to undertake cyber security exercise
19
(1) The Secretary may, by written notice given to an entity that is the
20
responsible entity for a system of national significance, require the
21
entity to:
22
(a) undertake a cyber security exercise in relation to:
23
(i) the system; and
24
(ii) all types of cyber security incidents; and
25
(b) do so within the period specified in the notice.
26
(2) The Secretary may, by written notice given to an entity that is the
27
responsible entity for a system of national significance, require the
28
entity to:
29
(a) undertake a cyber security exercise in relation to:
30
(i) the system; and
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
76
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(ii) one or more specified types of cyber security incidents;
1
and
2
(b) do so within the period specified in the notice.
3
(3) The period specified in a notice under subsection (1) or (2) must
4
not be earlier than the end of the 30-day period that began when
5
the notice was given.
6
(4) A notice under subsection (1) or (2) may also require the entity to
7
do any or all of the following things:
8
(a) allow one or more specified designated officers to observe
9
the cyber security exercise;
10
(b) provide those designated officers with access to premises for
11
the purposes of observing the cyber security exercise;
12
(c) provide those designated officers with reasonable assistance
13
and facilities that are reasonably necessary to allow those
14
designated officers to observe the cyber security exercise;
15
(d) allow those designated officers to make such records as are
16
reasonably necessary for the purposes of monitoring
17
compliance with the notice;
18
(e) give those designated officers reasonable notice of the time
19
when the cyber security exercise will begin.
20
(5) Before giving a notice to an entity under subsection (1) or (2) in
21
relation to a system of national significance, the Secretary must
22
consult:
23
(a) the entity; and
24
(b) if there is a relevant Commonwealth regulator that has
25
functions relating to the security of that system--the relevant
26
Commonwealth regulator.
27
30CN Cyber security exercise
28
(1) A
cyber security exercise
is an exercise:
29
(a) that is undertaken by the responsible entity for a system of
30
national significance; and
31
(b) that relates to the system; and
32
(c) that either:
33
(i) relates to all types of cyber security incidents; or
34
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
77
(ii) relates to one or more specified types of cyber security
1
incidents; and
2
(d) if the exercise relates to all types of cyber security
3
incidents--the purpose of which is to:
4
(i) test the entity's ability to respond appropriately to all
5
types of cyber security incidents that could have a
6
relevant impact on the system; and
7
(ii)
test the entity's preparedness to respond appropriately to
8
all types of cyber security incidents that could have a
9
relevant impact on the system; and
10
(iii) test the entity's ability to mitigate the relevant impacts
11
that all types of cyber security incidents could have on
12
the system; and
13
(e) if the exercise relates to one or more specified types of cyber
14
security incidents--the purpose of which is to:
15
(i) test the entity's ability to respond appropriately to those
16
types of cyber security incidents that could have a
17
relevant impact on the system; and
18
(ii)
test the entity's preparedness to respond appropriately to
19
those types of cyber security incidents that could have a
20
relevant impact on the system; and
21
(iii) test the entity's ability to mitigate the relevant impacts
22
that those types of cyber security incidents could have
23
on the system; and
24
(f) that complies with such requirements (if any) as are specified
25
in the rules.
26
(2) Requirements specified under paragraph (1)(f):
27
(a) may be of general application; or
28
(b) may relate to one or more specified systems of national
29
significance; or
30
(c) may relate to one or more specified types of cyber security
31
incidents.
32
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
33
2003
.
34
(3) Subsection (2) of this section does not, by implication, limit
35
subsection 33(3A) of the
Acts Interpretation Act 1901
.
36
Schedule 1
Security of critical infrastructure
Part 1
General amendments
78
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
30CP Compliance with requirement to undertake cyber security
1
exercise
2
An entity must comply with a notice given to the entity under
3
section 30CM.
4
Civil penalty:
200 penalty units.
5
30CQ Internal evaluation report
6
(1) If an entity undertakes a cyber security exercise under
7
section 30CM, the entity must:
8
(a) do both of the following:
9
(i) prepare an evaluation report relating to the cyber
10
security exercise;
11
(ii) give a copy of the report to the Secretary; and
12
(b) do so:
13
(i) within 30 days after the completion of the exercise; or
14
(ii) if the Secretary allows a longer period--within that
15
longer period.
16
Civil penalty:
200 penalty units.
17
(2) An evaluation report prepared by an entity under subsection (1) is
18
not admissible in evidence against the entity in civil proceedings
19
relating to a contravention of a civil penalty provision of this Act
20
(other than subsection (1) of this section or subsection 30CR(6)).
21
30CR External evaluation report
22
Scope
23
(1) This section applies if an entity has undertaken a cyber security
24
exercise under section 30CM, and:
25
(a) all of the following conditions are satisfied:
26
(i) the entity has prepared, or purported to prepare, an
27
evaluation report under section 30CQ relating to the
28
exercise;
29
(ii) the entity has given a copy of the report to the
30
Secretary;
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
79
(iii) the Secretary has reasonable grounds to believe that the
1
report was not prepared appropriately; or
2
(b) the entity has contravened section 30CQ.
3
Requirement
4
(2) The Secretary may, by written notice given to the entity, require
5
the entity to:
6
(a) appoint an external auditor; and
7
(b) arrange for the external auditor to prepare an evaluation
8
report (the
new evaluation report
) relating to the exercise;
9
and
10
(c) arrange for the external auditor to give the new evaluation
11
report to the entity; and
12
(d) give the Secretary a copy of the new evaluation report within:
13
(i) the period specified in the notice; or
14
(ii) if the Secretary allows a longer period--that longer
15
period.
16
(3) The notice must specify:
17
(a) the matters to be covered by the new evaluation report; and
18
(b) the form of the new evaluation report and the kinds of details
19
it is to contain.
20
Consultation
21
(4) Before giving a notice to an entity under this section in connection
22
with a cyber security exercise that relates to a system of national
23
significance, the Secretary must consult:
24
(a) the entity; and
25
(b) if there is a relevant Commonwealth regulator that has
26
functions relating to the security of that system--the relevant
27
Commonwealth regulator.
28
Eligibility for appointment as an external auditor
29
(5) An individual is not eligible to be appointed an external auditor by
30
the entity if the individual is an officer, employee or agent of the
31
entity.
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
80
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Compliance
1
(6) An entity must comply with a requirement under subsection (2).
2
Civil penalty:
200 penalty units.
3
Immunity
4
(7) The new evaluation report is not admissible in evidence against the
5
entity in civil proceedings relating to a contravention of a civil
6
penalty provision of this Act (other than subsection (6)).
7
30CS Meaning of
evaluation report
8
An
evaluation report
, in relation to a cyber security exercise that
9
was undertaken in relation to a system of national significance, is a
10
written report:
11
(a) if the exercise relates to all types of cyber security
12
incidents--the purpose of which is to:
13
(i) evaluate the entity's ability to respond appropriately to
14
all types of cyber security incidents that could have a
15
relevant impact on the system; and
16
(ii)
evaluate the entity's preparedness to respond
17
appropriately to all types of cyber security incidents that
18
could have a relevant impact on the system; and
19
(iii) evaluate the entity's ability to mitigate the relevant
20
impacts that all types of cyber security incidents could
21
have on the system; and
22
(b) if the exercise relates to one or more specified types of cyber
23
security incidents--the purpose of which is to:
24
(i) evaluate the entity's ability to respond appropriately to
25
those types of cyber security incidents that could have a
26
relevant impact on the system; and
27
(ii)
evaluate the entity's preparedness to respond
28
appropriately to those types of cyber security incidents
29
that could have a relevant impact on the system; and
30
(iii) evaluate the entity's ability to mitigate the relevant
31
impacts that those types of cyber security incidents
32
could have on the system; and
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
81
(c) that complies with such requirements (if any) as are specified
1
in the rules.
2
30CT External auditors
3
(1) The Secretary may, by writing, authorise a specified individual to
4
be an external auditor for the purposes of this Act.
5
Note:
For specification by class, see subsection 33(3AB) of the
Acts
6
Interpretation Act 1901
.
7
(2) An authorisation under subsection (1) is not a legislative
8
instrument.
9
Division 4--Vulnerability assessments
10
30CU Requirement to undertake vulnerability assessment
11
(1) The Secretary may, by written notice given to an entity that is the
12
responsible entity for a system of national significance, require the
13
entity to:
14
(a) undertake, or cause to be undertaken, a vulnerability
15
assessment in relation to:
16
(i) the system; and
17
(ii) all types of cyber security incidents; and
18
(b) do so within the period specified in the notice.
19
(2) The Secretary may, by written notice given to an entity that is the
20
responsible entity for a system of national significance, require the
21
entity to:
22
(a) undertake, or cause to be undertaken, a vulnerability
23
assessment in relation to:
24
(i) the system; and
25
(ii) one or more specified types of cyber security incidents;
26
and
27
(b) do so within the period specified in the notice.
28
(3) Before giving a notice to an entity under subsection (1) or (2) in
29
relation to the system of national significance, the Secretary must
30
consult:
31
(a) the entity; and
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
82
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(b) if there is a relevant Commonwealth regulator that has
1
functions relating to the security of that system--the relevant
2
Commonwealth regulator.
3
30CV Compliance with requirement to undertake a vulnerability
4
assessment
5
An entity must comply with a notice given to the entity under
6
section 30CU.
7
Civil penalty:
200 penalty units.
8
30CW Designated officers may undertake a vulnerability assessment
9
Scope
10
(1) This section applies if:
11
(a) an entity is the responsible entity for a system of national
12
significance; and
13
(b) either:
14
(i) the Secretary has reasonable grounds to believe that if
15
the entity were to be given a notice under
16
subsection 30CU(1) or (2), the entity would not be
17
capable of complying with the notice; or
18
(ii) the entity has not complied with a notice given to the
19
entity under subsection 30CU(1) or (2).
20
Request
21
(2) The Secretary may give a designated officer a written request to:
22
(a) undertake a vulnerability assessment in relation to:
23
(i) the system; and
24
(ii) all types of cyber security incidents; and
25
(b) do so within the period specified in the request.
26
(3) The Secretary may give a designated officer a written request to:
27
(a) undertake a vulnerability assessment in relation to:
28
(i) the system; and
29
(ii) one or more specified types of cyber security incidents;
30
and
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
83
(b) do so within the period specified in the request.
1
(4) Before giving a request under subsection (2) or (3) in relation to
2
the system of national significance, the Secretary must consult:
3
(a) the entity; and
4
(b) if there is a relevant Commonwealth regulator that has
5
functions relating to the security of that system--the relevant
6
Commonwealth regulator.
7
Requirement
8
(5) If a request under subsection (2) or (3) is given to a designated
9
officer, the Secretary may, by written notice given to the entity,
10
require the entity to do any or all of the following things:
11
(a) provide the designated officer with access to premises for the
12
purposes of undertaking the vulnerability assessment;
13
(b) provide the designated officer with access to computers for
14
the purposes of undertaking the vulnerability assessment;
15
(c) provide the designated officer with reasonable assistance and
16
facilities that are reasonably necessary to allow the
17
designated officer to undertake the vulnerability assessment.
18
Notification of request
19
(6) If a request under subsection (2) or (3) is given to a designated
20
officer, the Secretary must give a copy of the request to the entity.
21
30CX Compliance with requirement to provide reasonable
22
assistance etc.
23
An entity must comply with a notice given to the entity under
24
subsection 30CW(5).
25
Civil penalty:
200 penalty units.
26
30CY Vulnerability assessment
27
(1) A
vulnerability assessment
is an assessment:
28
(a) that relates to a system of national significance; and
29
(b) that either:
30
(i) relates to all types of cyber security incidents; or
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
84
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(ii) relates to one or more specified types of cyber security
1
incidents; and
2
(c) if the assessment relates to all types of cyber security
3
incidents--the purpose of which is to test the vulnerability of
4
the system to all types of cyber security incidents; and
5
(d) if the assessment relates to one or more specified types of
6
cyber security incidents--the purpose of which is to test the
7
vulnerability of the system to those types of cyber security
8
incidents; and
9
(e) that complies with such requirements (if any) as are specified
10
in the rules.
11
(2) Requirements specified under paragraph (1)(e):
12
(a) may be of general application; or
13
(b) may relate to one or more specified systems of national
14
significance; or
15
(c) may relate to one or more specified types of cyber security
16
incidents.
17
Note:
For specification by class, see subsection 13(3) of the
Legislation Act
18
2003
.
19
(3) Subsection (2) of this section does not, by implication, limit
20
subsection 33(3A) of the
Acts Interpretation Act 1901
.
21
30CZ Vulnerability assessment report
22
(1) If an entity undertakes, or causes to be undertaken, a vulnerability
23
assessment under section 30CU, the entity must:
24
(a) do both of the following:
25
(i) prepare, or cause to be prepared, a vulnerability
26
assessment report relating to the assessment;
27
(ii) give a copy of the report to the Secretary; and
28
(b) do so:
29
(i) within 30 days after the completion of the assessment;
30
or
31
(ii) if the Secretary allows a longer period--within that
32
longer period.
33
Civil penalty:
200 penalty units.
34
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
85
(2) If a designated officer undertakes a vulnerability assessment in
1
accordance with a request given to the designated officer under
2
section 30CW, the designated officer must:
3
(a) do both of the following:
4
(i) prepare a vulnerability assessment report relating to the
5
assessment;
6
(ii) give a copy of the report to the Secretary; and
7
(b) do so:
8
(i) within 30 days after the completion of the assessment;
9
or
10
(ii) if the Secretary allows a longer period--within that
11
longer period.
12
(3) If an entity prepares, or causes to be prepared, a report under
13
subsection (1), the report is not admissible in evidence against the
14
entity in civil proceedings relating to a contravention of a civil
15
penalty provision of this Act (other than subsection (1)).
16
30DA Meaning of
vulnerability assessment report
17
A
vulnerability assessment report
, in relation to a vulnerability
18
assessment that was undertaken in relation to a system of national
19
significance,
is a written report:
20
(a) if the assessment relates to all types of cyber security
21
incidents--the purpose of which is to assess the vulnerability
22
of the system to all types of cyber security incidents; and
23
(b) if the assessment relates to one or more specified types of
24
cyber security incidents--the purpose of which is to assess
25
the vulnerability of the system to those types of cyber
26
security incidents; and
27
(c) that complies with such requirements (if any) as are specified
28
in the rules.
29
Schedule 1
Security of critical infrastructure
Part 1
General amendments
86
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Division 5--Access to system information
1
Subdivision A--System information reporting notices
2
30DB Secretary may require periodic reporting of system
3
information
4
Scope
5
(1) This section applies if:
6
(a) a computer:
7
(i) is needed to operate a system of national significance;
8
or
9
(ii) is a system of national significance; and
10
(b) the Secretary believes on reasonable grounds that a relevant
11
entity for the system of national significance is technically
12
capable of preparing periodic reports consisting of
13
information that:
14
(i) relates to the operation of the computer; and
15
(ii) may assist with determining whether a power under this
16
Act should be exercised in relation to the system of
17
national significance; and
18
(iii) is not personal information (within the meaning of the
19
Privacy Act 1988
).
20
Requirement
21
(2) The Secretary may, by written notice given to the entity, require
22
the entity to:
23
(a) prepare periodic reports that:
24
(i) consist of any such information; and
25
(ii) relate to such regular intervals as are specified in the
26
notice; and
27
(b) prepare those periodic reports:
28
(i) in the manner and form specified in the notice; and
29
(ii) in accordance with the information technology
30
requirements specified in the notice; and
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
87
(c) give each of those periodic reports to ASD within the period
1
ascertained in accordance with the notice in relation to the
2
periodic report concerned.
3
(3) A notice under subsection (2) is to be known as a
system
4
information periodic reporting notice
.
5
(4) In deciding whether to give a system information periodic
6
reporting notice to the entity, the Secretary must have regard to:
7
(a) the costs that are likely to be incurred by the entity in
8
complying with the notice; and
9
(b) such other matters (if any) as the Secretary considers
10
relevant.
11
Matters to be set out in notice
12
(5) A system information periodic reporting notice must set out the
13
effect of section 30DF.
14
Other powers not limited
15
(6) This section does not, by implication, limit a power conferred by
16
another provision of this Act.
17
30DC Secretary may require event-based reporting of system
18
information
19
Scope
20
(1) This section applies if:
21
(a) a computer:
22
(i) is needed to operate a system of national significance;
23
or
24
(ii) is a system of national significance; and
25
(b) the Secretary believes on reasonable grounds that, each time
26
a particular kind of event occurs, a relevant entity for the
27
system of national significance will be technically capable of
28
preparing a report consisting of information that:
29
(i) relates to the operation of the computer; and
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
88
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(ii) may assist with determining whether a power under this
1
Act should be exercised in relation to the system of
2
national significance; and
3
(iii) is not personal information (within the meaning of the
4
Privacy Act 1988
).
5
Requirement
6
(2) The Secretary may, by written notice given to the entity, require
7
the entity to do the following things each time an event of that kind
8
occurs:
9
(a) prepare a report that consists of any such information;
10
(b) prepare that report:
11
(i) in the manner and form specified in the notice; and
12
(ii) in accordance with the information technology
13
requirements specified in the notice;
14
(c) give that report to ASD as soon as practicable after the event
15
occurs.
16
(3) A notice under subsection (2) is to be known as a
system
17
information event-based reporting notice
.
18
(4) In deciding whether to give a system information event-based
19
reporting notice to the entity, the Secretary must have regard to:
20
(a) the costs that are likely to be incurred by the entity in
21
complying with the notice; and
22
(b) such other matters (if any) as the Secretary considers
23
relevant.
24
Matters to be set out in notice
25
(5) A system information event-based reporting notice must set out the
26
effect of section 30DF.
27
Other powers not limited
28
(6) This section does not, by implication, limit a power conferred by
29
another provision of this Act.
30
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
89
30DD Consultation
1
Before giving:
2
(a) a system information periodic reporting notice; or
3
(b) a system information event-based reporting notice;
4
to a relevant entity for a system of national significance, the
5
Secretary must consult:
6
(c) the relevant entity; and
7
(d) if the relevant entity is not the responsible entity for the
8
system of national significance--the responsible entity for
9
the system of national significance.
10
30DE Duration of system information periodic reporting notice or
11
system information event-based reporting notice
12
(1) A system information periodic reporting notice or a system
13
information event-based reporting notice:
14
(a) comes into force:
15
(i) when it is given; or
16
(ii) if a later time is specified in the notice--at that later
17
time; and
18
(b) remains in force for the period specified in the notice.
19
(2) The period specified in the notice must not be longer than 12
20
months.
21
(3) If a system information periodic reporting notice (the
original
22
notice
) is in force, this Act does not prevent the Secretary from
23
giving a fresh system information periodic reporting notice that:
24
(a) is in the same, or substantially the same, terms as the original
25
notice; and
26
(b) comes into force immediately after the expiry of the original
27
notice.
28
(4) If a system information event-based reporting notice (the
original
29
notice
) is in force, this Act does not prevent the Secretary from
30
giving a fresh system information event-based reporting notice
31
that:
32
(a) is in the same, or substantially the same, terms as the original
33
notice; and
34
Schedule 1
Security of critical infrastructure
Part 1
General amendments
90
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(b) comes into force immediately after the expiry of the original
1
notice.
2
30DF Compliance with system information periodic reporting notice
3
or system information event-based reporting notice
4
An entity must comply with:
5
(a) a system information periodic reporting notice; or
6
(b) a system information event-based reporting notice;
7
to the extent that the entity is capable of doing so.
8
Civil penalty:
200 penalty units.
9
30DG Self-incrimination etc.
10
(1) An entity is not excused from giving a report under section 30DB
11
or 30DC on the ground that the report might tend to incriminate the
12
entity.
13
(2) If, at general law, an individual would otherwise be able to claim
14
the privilege against self-exposure to a penalty (other than a
15
penalty for an offence) in relation to giving a report under
16
section 30DB or 30DC, the individual is not excused from giving a
17
report under that section on that ground.
18
Note:
A body corporate is not entitled to claim the privilege against
19
self-exposure to a penalty.
20
30DH Admissibility of report etc.
21
If a report is given under section 30DB or 30DC:
22
(a) the report; or
23
(b) giving the report;
24
is not admissible in evidence against an entity:
25
(c) in criminal proceedings other than proceedings for an offence
26
against section 137.2 of the
Criminal Code
that relates to this
27
Act; or
28
(d) in civil proceedings other than proceedings for recovery of a
29
penalty in relation to a contravention of section 30DF.
30
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
91
Subdivision B--System information software
1
30DJ Secretary may require installation of system information
2
software
3
Scope
4
(1) This section applies if:
5
(a) a computer:
6
(i) is needed to operate a system of national significance;
7
or
8
(ii) is a system of national significance; and
9
(b) the Secretary believes on reasonable grounds that a relevant
10
entity for the system of national significance would not be
11
technically capable of preparing reports under section 30DB
12
or 30DC consisting of information that:
13
(i) relates to the operation of the computer; and
14
(ii) may assist with determining whether a power under this
15
Act should be exercised in relation to the system of
16
national significance; and
17
(iii) is not personal information (within the meaning of the
18
Privacy Act 1988
).
19
Requirement
20
(2) The Secretary may, by written notice given to the entity, require
21
the entity to:
22
(a) both:
23
(i) install a specified computer program on the computer;
24
and
25
(ii) do so within the period specified in the notice; and
26
(b) maintain the computer program installed in accordance with
27
paragraph (a); and
28
(c) take all reasonable steps to ensure that the computer is
29
continuously supplied with an internet carriage service that
30
enables the computer program to function.
31
(3) A notice under subsection (2) is to be known as a
system
32
information software notice
.
33
Schedule 1
Security of critical infrastructure
Part 1
General amendments
92
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(4) In deciding whether to give a system information software notice
1
to the entity, the Secretary must have regard to:
2
(a) the costs that are likely to be incurred by the entity in
3
complying with the notice; and
4
(b) such other matters (if any) as the Secretary considers
5
relevant.
6
(5) A computer program may only be specified in a system
7
information software notice if the purpose of the computer
8
program is to:
9
(a) collect and record information that:
10
(i) relates to the operation of the computer; and
11
(ii) may assist with determining whether a power under this
12
Act should be exercised in relation to the system of
13
national significance; and
14
(iii) is not personal information (within the meaning of the
15
Privacy Act 1988
); and
16
(b) cause the information to be transmitted electronically to
17
ASD.
18
Matters to be set out in notice
19
(6) A system information software notice must set out the effect of
20
section 30DM.
21
Other powers not limited
22
(7) This section does not, by implication, limit a power conferred by
23
another provision of this Act.
24
30DK Consultation
25
Before giving a system information software notice to a relevant
26
entity for a system of national significance, the Secretary must
27
consult:
28
(a) the relevant entity; and
29
(b) if the relevant entity is not the responsible entity for the
30
system of national significance--the responsible entity for
31
the system of national significance.
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
93
30DL Duration of system information software notice
1
(1) A system information software notice:
2
(a) comes into force:
3
(i) when it is given; or
4
(ii) if a later time is specified in the notice--at that later
5
time; and
6
(b) remains in force for the period specified in the notice.
7
(2) The period specified in the notice must not be longer than 12
8
months.
9
(3) If a system information software notice (the
original notice
) is in
10
force, this Act does not prevent the Secretary from giving a fresh
11
system information software notice that:
12
(a) is in the same, or substantially the same, terms as the original
13
notice; and
14
(b) comes into force immediately after the expiry of the original
15
notice.
16
30DM Compliance with system information software notice
17
An entity must comply with a system information software notice
18
to the extent that the entity is capable of doing so.
19
Civil penalty:
200 penalty units.
20
30DN Self-incrimination etc.
21
(1) An entity is not excused from complying with a system
22
information software notice on the ground that complying with the
23
notice might tend to incriminate the entity.
24
(2) If, at general law, an individual would otherwise be able to claim
25
the privilege against self-exposure to a penalty (other than a
26
penalty for an offence) in relation to complying with a system
27
information software notice, the individual is not excused from
28
complying with the notice on that ground.
29
Note:
A body corporate is not entitled to claim the privilege against
30
self-exposure to a penalty.
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
94
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
30DP Admissibility of information etc.
1
If:
2
(a) a computer program is installed in compliance with a system
3
information software notice; and
4
(b) information is transmitted to ASD as a result of the operation
5
of the computer program;
6
the information is not admissible in evidence against an entity:
7
(c) in criminal proceedings; or
8
(d) in civil proceedings other than proceedings for recovery of a
9
penalty in relation to a contravention of section 30DM.
10
Division 6--Designated officers
11
30DQ Designated officer
12
(1) A
designated officer
is an individual appointed by the Secretary, in
13
writing, to be a designated officer for the purposes of this Act.
14
(2) The Secretary must not appoint an individual under subsection (1)
15
unless:
16
(a) the individual is a Departmental employee; or
17
(b) both:
18
(i) the individual is a staff member of ASD; and
19
(ii) the Director-General of ASD has agreed to the
20
appointment.
21
(3) The Secretary may, in writing, declare that each Departmental
22
employee included in a specified class of Departmental employees
23
is a designated officer.
24
(4) The Secretary may, in writing, declare that each staff member of
25
ASD included in a specified class of staff members of ASD is a
26
designated officer.
27
(5) The Secretary must not make a declaration under subsection (4)
28
unless the Director-General of ASD has agreed to the declaration.
29
(6) For the purposes of this section,
Departmental employee
means an
30
APS employee in the Department.
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
95
(7) For the purposes of this section,
staff member
of ASD
has the
1
same meaning as in the
Intelligence Services Act 2001
.
2
(8) A declaration under this section is not a legislative instrument.
3
40 Paragraph 32(4)(c)
4
Omit "industry for the critical infrastructure asset", substitute "critical
5
infrastructure sector".
6
41 At the end of section 32
7
Add:
8
Other powers not limited
9
(6) This section does not, by implication, limit a power conferred by
10
another provision of this Act.
11
42 Subparagraph 33(1)(a)(i)
12
Before "located", insert "wholly or partly".
13
43 Subparagraph 33(1)(a)(ii)
14
Omit "industry for the critical infrastructure asset", substitute "critical
15
infrastructure sector".
16
44 At the end of Part 3
17
Add:
18
35AAA Directions prevail over inconsistent critical infrastructure
19
risk management programs
20
If a critical infrastructure risk management program is applicable
21
to a critical infrastructure asset, the program has no effect to the
22
extent to which it is inconsistent with a direction under
23
subsection 32(2).
24
35AAB Liability
25
(1) An entity is not liable to an action or other proceeding for damages
26
for or in relation to an act done or omitted in good faith in
27
compliance with a direction under subsection 32(2).
28
Schedule 1
Security of critical infrastructure
Part 1
General amendments
96
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(2) An officer, employee or agent of an entity is not liable to an action
1
or other proceeding for damages for or in relation to an act done or
2
omitted in good faith in connection with an act done or omitted by
3
the entity as mentioned in subsection (1) of this section.
4
45 After Part 3
5
Insert:
6
Part 3A--Responding to serious cyber security
7
incidents
8
Division 1--Simplified outline of this Part
9
35AA Simplified outline of this Part
10
•
This Part sets up a regime for the Commonwealth to respond
11
to serious cyber security incidents.
12
•
If a cyber security incident has had, is having, or is likely to
13
have, a relevant impact on a critical infrastructure asset, the
14
Minister may, in order to respond to the incident, do any or all
15
of the following things:
16
(a)
authorise the Secretary to give information-gathering
17
directions to a relevant entity for the asset;
18
(b)
authorise the Secretary to give an action direction to a
19
relevant entity for the asset;
20
(c)
authorise the Secretary to give an intervention request to
21
the authorised agency.
22
•
An information-gathering direction requires the relevant entity
23
to give information to the Secretary.
24
•
An action direction requires the relevant entity to do, or
25
refrain from doing, a specified act or thing.
26
•
An intervention request is a request that the authorised agency
27
do one or more specified acts or things in relation to the asset.
28
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
97
Division 2--Ministerial authorisation relating to cyber
1
security incident
2
35AB Ministerial authorisation
3
Scope
4
(1) This section applies if the Minister is satisfied that:
5
(a) a cyber security incident:
6
(i) has occurred; or
7
(ii) is occurring; or
8
(iii) is imminent; and
9
(b) the incident has had, is having, or is likely to have, a relevant
10
impact on a critical infrastructure asset (the
primary asset
);
11
and
12
(c) there is a material risk that the incident has seriously
13
prejudiced, is seriously prejudicing, or is likely to seriously
14
prejudice:
15
(i) the social or economic stability of Australia or its
16
people; or
17
(ii) the defence of Australia; or
18
(iii) national security; and
19
(d) no existing regulatory system of the Commonwealth, a State
20
or a Territory could be used to provide a practical and
21
effective response to the incident.
22
Authorisation
23
(2) The Minister may, on application by the Secretary, do any or all of
24
the following things:
25
(a) authorise the Secretary to give directions to a specified entity
26
under section 35AK that relate to the incident and the
27
primary asset;
28
(b) authorise the Secretary to give directions to a specified entity
29
under section 35AK that relate to the incident and a specified
30
critical infrastructure sector asset;
31
(c) authorise the Secretary to give to a specified entity a
32
specified direction under section 35AQ that relates to the
33
incident and the primary asset;
34
Schedule 1
Security of critical infrastructure
Part 1
General amendments
98
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(d) authorise the Secretary to give to a specified entity a
1
specified direction under section 35AQ that relates to the
2
incident and a specified critical infrastructure sector asset;
3
(e) authorise the Secretary to give a specified request under
4
section 35AX that relates to the incident and the primary
5
asset;
6
(f) authorise the Secretary to give a specified request under
7
section 35AX that relates to the incident and a specified
8
critical infrastructure sector asset.
9
Note 1:
Section 35AK deals with information gathering directions.
10
Note 2:
Section 35AQ deals with action directions.
11
Note 3:
Section 35AX deals with intervention requests.
12
(3) An authorisation under subsection (2) is to be known as a
13
Ministerial authorisation
.
14
(4) Subsection 33(3AB) of the
Acts Interpretation Act 1901
does not
15
apply to subsection (2) of this section.
16
Note:
Subsection 33(3AB) of the
Acts Interpretation Act 1901
deals with
17
specification by class.
18
Information gathering directions
19
(5) A Ministerial authorisation under paragraph (2)(a) or (b):
20
(a) is generally applicable to the incident and the asset
21
concerned; and
22
(b) is to be made without reference to any specific directions.
23
(6) The Minister must not give a Ministerial authorisation under
24
paragraph (2)(a) or (b) unless the Minister is satisfied that the
25
directions that could be authorised by the Ministerial authorisation
26
are likely to facilitate a practical and effective response to the
27
incident.
28
Action directions
29
(7) The Minister must not give a Ministerial authorisation under
30
paragraph (2)(c) or (d) unless the Minister is satisfied that:
31
(a) the specified entity is unwilling or unable to take all
32
reasonable steps to respond to the incident; and
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
99
(b) the specified direction is reasonably necessary for the
1
purposes of responding to the incident; and
2
(c) the specified direction is a proportionate response to the
3
incident; and
4
(d) compliance with the specified direction is technically
5
feasible.
6
Note:
Section 12P provides examples of responding to a cyber security
7
incident.
8
(8) In determining whether the specified direction is a proportionate
9
response to the incident, the Minister must have regard to:
10
(a) the impact of the specified direction on:
11
(i) the activities carried on by the specified entity; and
12
(ii) the functioning of the asset concerned; and
13
(b) the consequences of compliance with the specified direction;
14
and
15
(c) such other matters (if any) as the Minister considers relevant.
16
(9) The Minister must not give a Ministerial authorisation under
17
paragraph (2)(c) or (d) if the specified direction:
18
(a) requires the specified entity to permit the authorised agency
19
to do an act or thing that could be the subject of a request
20
under section 35AX; or
21
(b) requires the specified entity to take offensive cyber action
22
against a person who is directly or indirectly responsible for
23
the incident.
24
Intervention requests
25
(10) The Minister must not give a Ministerial authorisation under
26
paragraph (2)(e) or (f) unless the Minister is satisfied that:
27
(a) giving a Ministerial authorisation under paragraph (2)(c) or
28
(d) would not amount to a practical and effective response to
29
the incident; and
30
(b) if there is only one relevant entity for the asset concerned--
31
the relevant entity is unwilling or unable to take all
32
reasonable steps to respond to the incident; and
33
(c) if there are 2 or more relevant entities for the asset
34
concerned--those entities, when considered together, are
35
Schedule 1
Security of critical infrastructure
Part 1
General amendments
100
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
unwilling or unable to take all reasonable steps to respond to
1
the incident; and
2
(d) the specified request is reasonably necessary for the purposes
3
of responding to the incident; and
4
(e) the specified request is a proportionate response to the
5
incident; and
6
(f) compliance with the specified request is technically feasible;
7
and
8
(g) each of the acts or things specified in the specified request is
9
an act or thing of a kind covered by section 35AC.
10
Note:
Section 12P provides examples of responding to a cyber security
11
incident.
12
(11) In determining whether the specified request is a proportionate
13
response to the incident, the Minister must have regard to:
14
(a) the impact of compliance with the specified request on the
15
functioning of the asset concerned; and
16
(b) the consequences of acts or things that would be done in
17
compliance with the specified request; and
18
(c) such other matters (if any) as the Minister considers relevant.
19
(12) The Minister must not give a Ministerial authorisation under
20
paragraph (2)(e) or (f) if compliance with the specified request
21
would involve the authorised agency taking offensive cyber action
22
against a person who is directly or indirectly responsible for the
23
incident.
24
(13) The Minister must not give a Ministerial authorisation under
25
paragraph (2)(e) or (f) unless the Minister has obtained the
26
agreement of:
27
(a) the Prime Minister; and
28
(b) the Defence Minister.
29
(14) An agreement under subsection (13) may be given:
30
(a) orally; or
31
(b) in writing.
32
(15) If an agreement under subsection (13) is given orally, the Prime
33
Minister or the Defence Minister, as the case requires, must:
34
(a) do both of the following:
35
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
101
(i) make a written record of the agreement;
1
(ii) give a copy of the written record of the agreement to the
2
Minister; and
3
(b) do so within 48 hours after the agreement is given.
4
Ministerial authorisation is not a legislative instrument
5
(16) A Ministerial authorisation is not a legislative instrument.
6
Other powers not limited
7
(17) This section does not, by implication, limit a power conferred by
8
another provision of this Act.
9
35AC Kinds of acts or things that may be specified in an
10
intervention request
11
For the purposes of the application of paragraph 35AB(10)(g) to a
12
Ministerial authorisation of a request, each of the following kinds
13
of acts or things is covered by this section:
14
(a) access or modify:
15
(i) a computer that is, or is part of, the asset to which the
16
Ministerial authorisation relates; or
17
(ii) a computer device that is, or is part of, the asset to
18
which the Ministerial authorisation relates;
19
(b) undertake an analysis of:
20
(i) a computer that is, or is part of, the asset to which the
21
Ministerial authorisation relates; or
22
(ii) a computer program that is, or is part of, the asset to
23
which the Ministerial authorisation relates; or
24
(iii) computer data that is, or is part of, the asset to which the
25
Ministerial authorisation relates; or
26
(iv) a computer device that is, or is part of, the asset to
27
which the Ministerial authorisation relates;
28
(c) if it is necessary to achieve the purpose mentioned in
29
paragraph (b)--install a computer program on a computer
30
that is, or is part of, the asset to which the Ministerial
31
authorisation relates;
32
(d) access, add, restore, copy, alter or delete data held in:
33
Schedule 1
Security of critical infrastructure
Part 1
General amendments
102
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(i) a computer that is, or is part of, the asset to which the
1
Ministerial authorisation relates; or
2
(ii) a computer device that is, or is part of, the asset to
3
which the Ministerial authorisation relates;
4
(e) access, restore, copy, alter or delete a computer program that
5
is, or is part of, the asset to which the Ministerial
6
authorisation relates;
7
(f) access, copy, alter or delete a computer program that is
8
installed on a computer that is, or is part of, the asset to
9
which the Ministerial authorisation relates;
10
(g) alter the functioning of:
11
(i) a computer that is, or is part of, the asset to which the
12
Ministerial authorisation relates; or
13
(ii) a computer device that is, or is part of, the asset to
14
which the Ministerial authorisation relates;
15
(h) remove or disconnect:
16
(i) a computer; or
17
(ii) a computer device;
18
from a computer network that is, or is part of, the asset to
19
which the Ministerial authorisation relates;
20
(i) connect or add:
21
(i) a computer; or
22
(ii) a computer device;
23
to a computer network that is, or is part of, the asset to which
24
the Ministerial authorisation relates;
25
(j) remove:
26
(i) a computer that is, or is part of, the asset to which the
27
Ministerial authorisation relates; or
28
(ii) a computer device that is, or is part of, the asset to
29
which the Ministerial authorisation relates;
30
from premises.
31
35AD Consultation
32
(1) Before giving a Ministerial authorisation under
33
paragraph 35AB(2)(c) or (d), the Minister must consult the
34
specified entity unless the delay that would occur if the specified
35
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
103
entity were consulted would frustrate the effectiveness of the
1
Ministerial authorisation.
2
(2) Before giving a Ministerial authorisation under
3
paragraph 35AB(2)(e) or (f) in relation to an asset, the Minister
4
must:
5
(a) if the asset is a critical infrastructure asset--consult the
6
responsible entity for the asset; or
7
(b) if the asset is a critical infrastructure sector asset (other than a
8
critical infrastructure asset)--consult whichever of the
9
following entities the Minister considers to be most relevant
10
in relation to the proposed authorisation:
11
(i) the owner, or each of the owners, of the asset;
12
(ii) the operator, or each of the operators, of the asset;
13
unless the delay that would occur if the entity or entities were
14
consulted would frustrate the effectiveness of the Ministerial
15
authorisation.
16
35AE Form and notification of Ministerial authorisation
17
(1) A Ministerial authorisation may be given:
18
(a) orally; or
19
(b) in writing.
20
(2) The Minister must not give a Ministerial authorisation orally in
21
relation to:
22
(a) a cyber security incident; and
23
(b) an asset;
24
unless the delay that would occur if the Ministerial authorisation
25
were to be made in writing would frustrate the effectiveness of:
26
(c) any directions that may be given under section 35AK or
27
35AQ in relation to the incident and the asset; or
28
(d) any requests that may be given under section 35AX in
29
relation to the incident and the asset.
30
Notification of Ministerial authorisations given orally
31
(3) If a Ministerial authorisation is given orally in relation to:
32
(a) a cyber security incident; and
33
(b) an asset;
34
Schedule 1
Security of critical infrastructure
Part 1
General amendments
104
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
the Minister must:
1
(c) do both of the following:
2
(i) make a written record of the Ministerial authorisation;
3
(ii) give a copy of the written record of the Ministerial
4
authorisation to the Secretary and the Inspector-General
5
of Intelligence and Security; and
6
(d) do so within 48 hours after the Ministerial authorisation is
7
given.
8
(4) If a Ministerial authorisation is given orally in relation to:
9
(a) a cyber security incident; and
10
(b) a critical infrastructure asset;
11
the Minister must:
12
(c) do both of the following:
13
(i) make a written record of the Ministerial authorisation;
14
(ii) give a copy of the written record of the Ministerial
15
authorisation to the responsible entity for the asset; and
16
(d) do so within 48 hours after the Ministerial authorisation is
17
given.
18
(5) If a Ministerial authorisation is given orally in relation to:
19
(a) a cyber security incident; and
20
(b) a critical infrastructure sector asset (other than a critical
21
infrastructure asset);
22
the Minister must:
23
(c) make a written record of the Ministerial authorisation; and
24
(d) give a copy of the written record of the Ministerial
25
authorisation to whichever of the following entities the
26
Minister considers to be most relevant in relation to the
27
Ministerial authorisation:
28
(i) the owner, or each of the owners, of the asset;
29
(ii) the operator, or each of the operators, of the asset; and
30
(e) do so within 48 hours after the Ministerial authorisation is
31
given.
32
Notification of Ministerial authorisations given in writing
33
(6) If a Ministerial authorisation is given in writing in relation to:
34
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
105
(a) a cyber security incident; and
1
(b) an asset;
2
the Minister must:
3
(c) give a copy of the Ministerial authorisation to the Secretary
4
and the Inspector-General of Intelligence and Security; and
5
(d) do so within 48 hours after the Ministerial authorisation is
6
given.
7
(7) If a Ministerial authorisation is given in writing in relation to:
8
(a) a cyber security incident; and
9
(b) a critical infrastructure asset;
10
the Minister must:
11
(c) give a copy of the Ministerial authorisation to the responsible
12
entity for the asset; and
13
(d) do so within 48 hours after the Ministerial authorisation is
14
given.
15
(8) If a Ministerial authorisation is given in writing in relation to:
16
(a) a cyber security incident; and
17
(b) a critical infrastructure sector asset (other than a critical
18
infrastructure asset);
19
the Minister must:
20
(c) give a copy of the Ministerial authorisation to whichever of
21
the following entities the Minister considers to be most
22
relevant in relation to the Ministerial authorisation:
23
(i) the owner, or each of the owners, of the asset;
24
(ii) the operator, or each of the operators, of the asset; and
25
(d) do so within 48 hours after the Ministerial authorisation is
26
given.
27
35AF Form of application for Ministerial authorisation
28
(1) The Secretary may apply for a Ministerial authorisation either:
29
(a) orally; or
30
(b) in writing.
31
(2) The Secretary must not apply orally for a Ministerial authorisation
32
that relates to:
33
(a) a cyber security incident; and
34
Schedule 1
Security of critical infrastructure
Part 1
General amendments
106
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(b) an asset;
1
unless the delay that would occur if the application were to be
2
made in writing would frustrate the effectiveness of:
3
(c) any directions that may be given under section 35AK or
4
35AQ in relation to the incident and the asset; or
5
(d) any requests that may be given under section 35AX in
6
relation to the incident and the asset.
7
(3) If an application for a Ministerial authorisation is made orally, the
8
Secretary must:
9
(a) do both of the following:
10
(i) make a written record of the application;
11
(ii) give a copy of the written record of the application to
12
the Minister; and
13
(b) do so within 48 hours after the application is made.
14
35AG Duration of Ministerial authorisation
15
Scope
16
(1) This section applies if a Ministerial authorisation is given in
17
relation to:
18
(a) a cyber security incident; and
19
(b) an asset.
20
Duration of Ministerial authorisation
21
(2) Subject to this section, the Ministerial authorisation remains in
22
force for the period specified in the Ministerial authorisation
23
(which must not exceed 20 days).
24
Fresh Ministerial authorisation
25
(3) If a Ministerial authorisation (the
original Ministerial
26
authorisation
) is in force, this Act does not prevent the Minister
27
from giving a fresh Ministerial authorisation that:
28
(a) is in the same, or substantially the same, terms as the original
29
Ministerial authorisation; and
30
(b) comes into force immediately after the expiry of the original
31
Ministerial authorisation.
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
107
(4) In deciding whether to give such a fresh Ministerial authorisation,
1
the Minister must have regard to the number of occasions on which
2
Ministerial authorisations have been made in relation to the
3
incident and the asset.
4
(5) Subsection (4) does not limit the matters to which the Minister may
5
have regard to in deciding whether to give a fresh Ministerial
6
authorisation.
7
35AH Revocation of Ministerial authorisation
8
Scope
9
(1) This section applies if a Ministerial authorisation is in force in
10
relation to:
11
(a) a cyber security incident; and
12
(b) an asset.
13
Power to revoke Ministerial authorisation
14
(2) The Minister may, in writing, revoke the Ministerial authorisation.
15
Duty to revoke Ministerial authorisation
16
(3) If the Minister is satisfied that the Ministerial authorisation is no
17
longer required to respond to the incident, the Minister must, in
18
writing, revoke the Ministerial authorisation.
19
(4) If the Secretary is satisfied that the Ministerial authorisation is no
20
longer required to respond to the incident, the Secretary must:
21
(a) notify the Minister that the Secretary is so satisfied; and
22
(b) do so soon as practicable after the Secretary becomes so
23
satisfied.
24
Notification of revocation
25
(5) If the Ministerial authorisation is revoked, the Minister must:
26
(a) give a copy of the revocation to:
27
(i) the Secretary; and
28
(ii) the Inspector-General of Intelligence and Security; and
29
(iii) each relevant entity for the asset; and
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
108
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(b) do so within 48 hours after the Ministerial authorisation is
1
revoked.
2
(6) If a Ministerial authorisation is revoked in relation to:
3
(a) a cyber security incident; and
4
(b) a critical infrastructure asset;
5
the Minister must:
6
(c) give a copy of the revocation to the responsible entity for the
7
asset; and
8
(d) do so within 48 hours after the Ministerial authorisation is
9
revoked.
10
(7) If a Ministerial authorisation is revoked in relation to:
11
(a) a cyber security incident; and
12
(b) a critical infrastructure sector asset (other than a critical
13
infrastructure asset);
14
the Minister must:
15
(c) give a copy of the revocation to whichever of the following
16
entities the Minister considers to be most relevant in relation
17
to the Ministerial authorisation:
18
(i) the owner, or each of the owners, of the asset;
19
(ii) the operator, or each of the operators, of the asset; and
20
(d) do so within 48 hours after the Ministerial authorisation is
21
revoked.
22
Revocation is not a legislative instrument
23
(8) A revocation of the Ministerial authorisation is not a legislative
24
instrument.
25
Application of Acts Interpretation Act 1901
26
(9) This section does not, by implication, affect the application of
27
subsection 33(3) of the
Acts Interpretation Act 1901
to an
28
instrument made under a provision of this Act (other than this
29
Part).
30
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
109
35AJ Minister to exercise powers personally
1
A power of the Minister under this Division may only be exercised
2
by the Minister personally.
3
Division 3--Information gathering directions
4
35AK Information gathering direction
5
Scope
6
(1) This section applies if a Ministerial authorisation given under
7
paragraph 35AB(2)(a) or (b) is in force in relation to:
8
(a) a cyber security incident; and
9
(b) an asset.
10
Direction
11
(2) If:
12
(a) an entity is a relevant entity for the asset; and
13
(b) the Secretary has reason to believe that the entity has
14
information that may assist with determining whether a
15
power under this Act should be exercised in relation to the
16
incident and the asset;
17
the Secretary may direct the entity to:
18
(c) give any such information to the Secretary; and
19
(d) do so within the period, and in the manner, specified in the
20
direction.
21
(3) The period specified in the direction must end at or before the end
22
of the period for which the Ministerial authorisation is in force.
23
(4) The Secretary must not give the direction unless the Secretary is
24
satisfied that:
25
(a) the direction is a proportionate means of obtaining the
26
information; and
27
(b) compliance with the direction is technically feasible.
28
(5) The Secretary must not give a direction that would require an
29
entity to:
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
110
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(a) do an act or thing that would be prohibited by section 7 of the
1
Telecommunications (Interception and Access) Act 1979
; or
2
(b) do an act or thing that would be prohibited by section 108 of
3
the
Telecommunications (Interception and Access) Act 1979
;
4
or
5
(c) do an act or thing that would (disregarding this Act) be
6
prohibited by section 276, 277 or 278 of the
7
Telecommunications Act 1997
.
8
(6) Before giving a direction under this section to an entity, the
9
Secretary must consult the entity unless the delay that would occur
10
if the entity were consulted would frustrate the effectiveness of the
11
direction.
12
Other powers not limited
13
(7) This section does not, by implication, limit a power conferred by
14
another provision of this Act.
15
35AL Form of direction
16
(1) A direction under section 35AK may be given:
17
(a) orally; or
18
(b) in writing.
19
(2) The Secretary must not give a direction under section 35AK orally
20
unless the delay that would occur if the direction were to be given
21
in writing would frustrate the effectiveness of the direction.
22
(3) If a direction under section 35AK is given orally to an entity, the
23
Secretary must:
24
(a) do both of the following:
25
(i) make a written record of the direction;
26
(ii) give a copy of the written record of the direction to the
27
entity; and
28
(b) do so within 48 hours after the direction is given.
29
35AM Compliance with an information gathering direction
30
An entity must comply with a direction given to the entity under
31
section 35AK to the extent that the entity is capable of doing so.
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
111
Civil penalty:
150 penalty units.
1
35AN Self-incrimination etc.
2
(1) An entity is not excused from giving information under
3
section 35AK on the ground that the information might tend to
4
incriminate the entity.
5
(2) If, at general law, an individual would otherwise be able to claim
6
the privilege against self-exposure to a penalty (other than a
7
penalty for an offence) in relation to giving information under
8
section 35AK, the individual is not excused from giving
9
information under that section on that ground.
10
Note:
A body corporate is not entitled to claim the privilege against
11
self-exposure to a penalty.
12
35AP Admissibility of information etc.
13
If information is given under section 35AK:
14
(a) the information; or
15
(b) giving the information;
16
is not admissible in evidence against an entity:
17
(c) in criminal proceedings other than proceedings for an offence
18
against section 137.1 or 137.2 of the
Criminal Code
that
19
relates to this Act; or
20
(d) in civil proceedings other than proceedings for recovery of a
21
penalty in relation to a contravention of section 35AM.
22
Division 4--Action directions
23
35AQ Action direction
24
(1) If an entity is a relevant entity for:
25
(a) a critical infrastructure asset; or
26
(b) a critical infrastructure sector asset;
27
the Secretary may give the entity a direction that directs the entity
28
to do, or refrain from doing, a specified act or thing within the
29
period specified in the direction.
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
112
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(2) The Secretary must not give a direction under this section unless
1
the direction:
2
(a) is identical to a direction specified in a Ministerial
3
authorisation; and
4
(b) includes a statement to the effect that the direction is
5
authorised by the Ministerial authorisation; and
6
(c) specifies the date on which the Ministerial authorisation was
7
given.
8
Note:
A Ministerial authorisation must not be given unless the Minister is
9
satisfied that the direction is reasonably necessary for the purposes of
10
responding to a cyber security incident--see section 35AB.
11
(3) The period specified in the direction must end at or before the end
12
of the period for which the Ministerial authorisation is in force.
13
(4) A direction under this section is subject to such conditions (if any)
14
as are specified in the direction.
15
(5) The Secretary must not give a direction under this section that
16
would require an entity to give information to the Secretary.
17
Other powers not limited
18
(6) This section does not, by implication, limit a power conferred by
19
another provision of this Act.
20
35AR Form of direction
21
(1) A direction under section 35AQ may be given:
22
(a) orally; or
23
(b) in writing.
24
(2) The Secretary must not give a direction under section 35AQ orally
25
unless the delay that would occur if the direction were to be given
26
in writing would frustrate the effectiveness of the direction.
27
(3) If a direction under section 35AQ is given orally to an entity, the
28
Secretary must:
29
(a) do both of the following:
30
(i) make a written record of the direction;
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
113
(ii) give a copy of the written record of the direction to the
1
entity; and
2
(b) do so within 48 hours after the direction is given.
3
35AS Revocation of direction
4
Scope
5
(1) This section applies if:
6
(a) a direction is in force under section 35AQ in relation to a
7
Ministerial authorisation; and
8
(b) the direction was given to a particular entity.
9
Power to revoke direction
10
(2) The Secretary may, by written notice given to the entity, revoke the
11
direction.
12
Duty to revoke direction
13
(3) If the Secretary is satisfied that the direction is no longer required
14
to respond to the cyber security incident to which the Ministerial
15
authorisation relates, the Secretary must, by written notice given to
16
the entity, revoke the direction.
17
Automatic revocation of direction
18
(4) If the Ministerial authorisation ceases to be in force, the direction is
19
revoked.
20
Application of Acts Interpretation Act 1901
21
(5) This section does not, by implication, affect the application of
22
subsection 33(3) of the
Acts Interpretation Act 1901
to an
23
instrument made under a provision of this Act (other than this
24
Part).
25
35AT Compliance with direction
26
(1) An entity commits an offence if:
27
(a) the entity is given a direction under section 35AQ; and
28
(b) the entity engages in conduct; and
29
Schedule 1
Security of critical infrastructure
Part 1
General amendments
114
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(c) the entity's conduct breaches the direction.
1
Penalty: Imprisonment for 2 years or 120 penalty units, or both.
2
(2) Subsection (1) does not apply if the entity took all reasonable steps
3
to comply with the direction.
4
35AU Directions prevail over inconsistent critical infrastructure risk
5
management programs
6
If a critical infrastructure risk management program is applicable
7
to an entity, the program has no effect to the extent to which it is
8
inconsistent with a direction given to the entity under
9
section 35AQ.
10
35AV Directions prevail over inconsistent obligations
11
If an obligation under this Act is applicable to an entity, the
12
obligation has no effect to the extent to which it is inconsistent
13
with a direction given to the entity under section 35AQ.
14
35AW Liability
15
(1) An entity is not liable to an action or other proceeding for damages
16
for or in relation to an act done or omitted in good faith in
17
compliance with a direction given under section 35AQ.
18
(2) An officer, employee or agent of an entity is not liable to an action
19
or other proceeding for damages for or in relation to an act done or
20
omitted in good faith in connection with an act done or omitted by
21
the entity as mentioned in subsection (1).
22
Division 5--Intervention requests
23
35AX Intervention request
24
(1) The Secretary may give the chief executive of the authorised
25
agency a request that the authorised agency do one or more
26
specified acts or things within the period specified in the request.
27
(2) The Secretary must not give a request under this section unless the
28
request:
29
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
115
(a) is identical to a request specified in a Ministerial
1
authorisation; and
2
(b) includes a statement to the effect that the request is
3
authorised by the Ministerial authorisation; and
4
(c) specifies the date on which the Ministerial authorisation was
5
given.
6
Note:
A Ministerial authorisation must not be given unless the Minister is
7
satisfied that the request is reasonably necessary for the purposes of
8
responding to a cyber security incident--see section 35AB.
9
(3) The period specified in the request must end at or before the end of
10
the period for which the Ministerial authorisation is in force.
11
(4) A request under this section is subject to such conditions (if any) as
12
are specified in the request.
13
(5) A request under this section does not extend to:
14
(a) doing an act or thing that would be prohibited by section 7 of
15
the
Telecommunications (Interception and Access) Act 1979
;
16
or
17
(b) doing an act or thing that would be prohibited by section 108
18
of the
Telecommunications (Interception and Access) Act
19
1979
; or
20
(c) doing an act or thing that would (disregarding this Act) be
21
prohibited by section 276, 277 or 278 of the
22
Telecommunications Act 1997
.
23
Other powers not limited
24
(6) This section does not, by implication, limit a power conferred by
25
another provision of this Act.
26
35AY Form and notification of request
27
(1) A request under section 35AX may be given:
28
(a) orally; or
29
(b) in writing.
30
(2) The Secretary must not give a request under section 35AX orally
31
unless the delay that would occur if the request were to be given in
32
writing would frustrate the effectiveness of the request.
33
Schedule 1
Security of critical infrastructure
Part 1
General amendments
116
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Notification of requests given orally
1
(3) If a request under section 35AX is given orally, the Secretary must:
2
(a) do both of the following:
3
(i) make a written record of the request;
4
(ii) give a copy of the written record of the request to the
5
chief executive of the authorised agency; and
6
(b) do so within 48 hours after the request is given.
7
(4) If a request under section 35AX is given orally in relation to a
8
critical infrastructure asset, the Secretary must:
9
(a) do both of the following:
10
(i) make a written record of the request;
11
(ii) give a copy of the written record of the request to the
12
responsible entity for the asset; and
13
(b) do so within 48 hours after the request is given.
14
(5) If a request under section 35AX is given orally in relation to a
15
critical infrastructure sector asset (other than a critical
16
infrastructure asset), the Secretary must:
17
(a) make a written record of the request; and
18
(b) give a copy of the written record of the request to whichever
19
of the following entities the Secretary considers to be most
20
relevant in relation to the request:
21
(i) the owner, or each of the owners, of the asset;
22
(ii) the operator, or each of the operators, of the asset; and
23
(c) do so within 48 hours after the request is given.
24
Notification of requests given in writing
25
(6) If a request under section 35AX is given in writing, the Secretary
26
must:
27
(a) give a copy of the request to the chief executive of the
28
authorised agency; and
29
(b) do so within 48 hours after the request is made.
30
(7) If a request under section 35AX is given in writing in relation to a
31
critical infrastructure asset, the Secretary must:
32
(a) give a copy of the request to the responsible entity for the
33
asset; and
34
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
117
(b) do so within 48 hours after the request is given.
1
(8) If a request under section 35AX is given in writing in relation to a
2
critical infrastructure sector asset (other than a critical
3
infrastructure asset), the Secretary must:
4
(a) give a copy of the request to whichever of the following
5
entities the Secretary considers to be most relevant in relation
6
to the request:
7
(i) the owner, or each of the owners, of the asset;
8
(ii) the operator, or each of the operators, of the asset; and
9
(b) do so within 48 hours after the request is given.
10
35AZ Compliance with request
11
(1) The authorised agency is authorised to do an act or thing in
12
compliance with a request under section 35AX.
13
(2) An act or thing done by the authorised agency in compliance with a
14
request under section 35AX is taken to be done in the performance
15
of the function conferred on the authorised agency by
16
paragraph 7(1)(f) of the
Intelligence Services Act 2001
.
17
35BA Revocation of request
18
Scope
19
(1) This section applies if a request is in force under section 35AX in
20
relation to a Ministerial authorisation.
21
Power to revoke request
22
(2) The Secretary may, by written notice given to the chief executive
23
of the authorised agency, revoke the request.
24
Duty to revoke request
25
(3) If the Secretary is satisfied that the request is no longer required to
26
respond to the cyber security incident to which the Ministerial
27
authorisation relates, the Secretary must, by written notice given to
28
the chief executive of the authorised agency, revoke the request.
29
Schedule 1
Security of critical infrastructure
Part 1
General amendments
118
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Automatic revocation of request
1
(4) If the Ministerial authorisation ceases to be in force, the request is
2
revoked.
3
Notification of revocation of request
4
(5) If a request under section 35AX is revoked, the Secretary must:
5
(a) give a copy of the revocation of the request to the chief
6
executive of the authorised agency and each relevant entity
7
for the asset; and
8
(b) do so as soon as practicable after the revocation.
9
Application of Acts Interpretation Act 1901
10
(6) This section does not, by implication, affect the application of
11
subsection 33(3) of the
Acts Interpretation Act 1901
to an
12
instrument made under a provision of this Act (other than this
13
Part).
14
35BB Relevant entity to assist the authorised agency
15
(1) If:
16
(a) a request is in force under section 35AX in relation to a
17
critical infrastructure asset or a critical infrastructure sector
18
asset; and
19
(b) an entity is a relevant entity for the asset;
20
an approved staff member of the authorised agency may require the
21
entity to:
22
(c) provide the approved staff member with access to premises
23
for the purposes of the authorised agency complying with the
24
request; or
25
(d) provide the authorised agency with specified information or
26
assistance that is reasonably necessary to allow the
27
authorised agency to comply with the request.
28
Note:
See also section 149.1 of the
Criminal Code
(which deals with
29
obstructing and hindering Commonwealth public officials).
30
(2) Paragraph (1)(c) does not apply to premises that are used solely or
31
primarily as a residence.
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
119
(3) An entity must comply with a requirement under subsection (1).
1
Civil penalty:
150 penalty units.
2
Liability
3
(4) An entity is not liable to an action or other proceeding for damages
4
for, or in relation to, an act done or omitted in good faith in
5
compliance with a requirement under subsection (1).
6
(5) An officer, employee or agent of an entity is not liable to an action
7
or other proceeding for damages for, or in relation to, an act done
8
or omitted in good faith in connection with an act done or omitted
9
by the entity as mentioned in subsection (4).
10
35BC Constable may assist the authorised agency
11
(1) If an entity refuses or fails to provide an approved staff member of
12
the authorised agency with access to premises when required to do
13
so under subsection 35BB(1):
14
(a) the approved staff member may enter the premises for the
15
purposes of the authorised agency complying with the
16
request mentioned in that subsection; and
17
(b) a constable may:
18
(i) assist the approved staff member in gaining access to
19
the premises by using reasonable force against property;
20
and
21
(ii) if necessary for the purposes of so assisting the
22
approved staff member--enter the premises.
23
(2) If an approved staff member of the authorised agency has entered
24
premises for the purposes of the authorised agency complying with
25
a request under section 35AX, a constable may:
26
(a) assist the authorised agency in complying with the request by
27
using reasonable force against property located on the
28
premises; and
29
(b) for the purposes of so assisting the authorised agency--enter
30
the premises.
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
120
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
35BD Removal and return of computers etc.
1
Removal of computers etc.
2
(1) If:
3
(a) in compliance with a request under section 35AX, the
4
authorised agency adds or connects a computer or device to a
5
computer network; and
6
(b) at a time when the request is in force, an approved staff
7
member of the authorised agency forms a reasonable belief
8
that the addition or connection of the computer or device is
9
no longer required for the purposes of responding to the
10
cyber security incident to which the relevant Ministerial
11
authorisation relates;
12
the authorised agency must remove or disconnect the computer or
13
device as soon as practicable after the approved staff member
14
forms that belief.
15
(2) If:
16
(a) in compliance with a request under section 35AX, the
17
authorised agency adds or connects a computer or device to a
18
computer network; and
19
(b) the request ceases to be in force;
20
the authorised agency must remove or disconnect the computer or
21
device as soon as practicable after the request ceases to be in force.
22
Return of computers etc.
23
(3) If:
24
(a) in compliance with a request under section 35AX, the
25
authorised agency removes a computer or device; and
26
(b) at a time when the request is in force, an approved staff
27
member of the authorised agency forms a reasonable belief
28
that the removal of the computer or device is no longer
29
required for the purposes of responding to the cyber security
30
incident to which the relevant Ministerial authorisation
31
relates;
32
the authorised agency must return the computer or device as soon
33
as practicable after the approved staff member forms that belief.
34
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
121
(4) If:
1
(a) in compliance with a request under section 35AX, the
2
authorised agency removes a computer or device; and
3
(b) the request ceases to be in force;
4
the authorised agency must return the computer or device as soon
5
as practicable after the request ceases to be in force.
6
35BE Use of force against an individual not authorised
7
This Division does not authorise the use of force against an
8
individual.
9
35BF Liability
10
Each of the following:
11
(a) the chief executive of the authorised agency;
12
(b) an approved staff member of the authorised agency;
13
(c) a constable;
14
is not liable to an action or other proceeding (whether civil or
15
criminal) for, or in relation to, an act or matter done or omitted to
16
be done in the exercise of any power or authority conferred by this
17
Division.
18
35BG Evidentiary certificates
19
(1) The Inspector-General of Intelligence and Security may issue a
20
written certificate setting out any facts relevant to the question of
21
whether anything done, or omitted to be done, by the authorised
22
agency, or an approved staff member of the authorised agency, was
23
done, or omitted to be done, in the exercise of any power or
24
authority conferred by this Division.
25
(2) A certificate issued under subsection (1) is admissible in evidence
26
in any proceedings as prima facie evidence of the matters stated in
27
the certificate.
28
35BH Chief executive of the authorised agency to report to the
29
Defence Minister and the Minister
30
(1) If:
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
122
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(a) the Secretary gives a request under section 35AX that was
1
authorised by a Ministerial authorisation; and
2
(b) the authorised agency does one or more acts or things in
3
compliance with the request;
4
the chief executive of the authorised agency must:
5
(c) prepare a written report that:
6
(i) sets out details of those acts or things; and
7
(ii) explains the extent to which doing those acts or things
8
has amounted to an effective response to the cyber
9
security incident to which the Ministerial authorisation
10
relates; and
11
(d) give a copy of the report to the Defence Minister; and
12
(e) give a copy of the report to the Minister.
13
(2) The chief executive of the authorised agency must comply with
14
subsection (1) as soon as practicable after the end of the period
15
specified in the request and, in any event, within 3 months after the
16
end of the period specified in the request.
17
35BJ Approved staff members of the authorised agency
18
(1) The chief executive of the authorised agency may, in writing,
19
declare that a specified staff member of the authorised agency is an
20
approved staff member of the authorised agency
for the purposes
21
of this Act.
22
(2) A declaration under subsection (1) is not a legislative instrument.
23
46 Section 36 (paragraph beginning
"Information")
24
Repeal the paragraph.
25
47 At the end of section 36
26
Add:
27
Note:
Protected information is defined in section 5.
28
48 Subparagraph 42(2)(a)(viii)
29
Omit "industry for the critical infrastructure asset", substitute "critical
30
infrastructure sector".
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
123
49 Paragraph 42(2)(b)
1
Omit "industry for the critical infrastructure asset", substitute "critical
2
infrastructure sector".
3
50 After section 43
4
Insert:
5
43A Authorised disclosure to IGIS official
6
The Secretary may:
7
(a) disclose protected information to an IGIS official for the
8
purposes of exercising powers, or performing duties or
9
functions, as an IGIS official; and
10
(b) make a record of or use protected information for the purpose
11
of that disclosure.
12
Note:
This section is an authorisation for the purposes of other laws,
13
including the Australian Privacy Principles.
14
43B Authorised use and disclosure--Ombudsman official
15
Protected information may be disclosed by an Ombudsman official
16
to an IGIS official for the purposes of the IGIS official exercising
17
powers, or performing functions or duties, as an IGIS official.
18
Note:
This section is an authorisation for the purposes of other laws,
19
including the Australian Privacy Principles.
20
43C Authorised use and disclosure--IGIS official
21
Protected information may be disclosed by an IGIS official to an
22
Ombudsman official for the purposes of the Ombudsman official
23
exercising powers, or performing functions or duties, as an
24
Ombudsman official.
25
Note:
This section is an authorisation for the purposes of other laws,
26
including the Australian Privacy Principles.
27
43D Authorised use and disclosure--ASD
28
The Director-General of ASD or a staff member of ASD may make
29
a record of, use or disclose protected information for the purposes
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
124
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
of the performance of the functions of ASD set out in section 7 of
1
the
Intelligence Services Act 2001
.
2
Note:
This section is an authorisation for the purposes of other laws,
3
including the Australian Privacy Principles.
4
51 Paragraph 45(1)(a)
5
Repeal the paragraph, substitute:
6
(a) the entity:
7
(i) obtains information; or
8
(ii) generates information for the purposes of complying
9
with this Act; and
10
52 Paragraph 45(1)(d)
11
Omit "subsection 51(3) or 52(4)", substitute "a notification provision".
12
53 Paragraph 46(1)(a)
13
Omit "subsection 51(3) or 52(4)", substitute "a notification provision".
14
53A Subsection 46(2)
15
After "critical infrastructure asset", insert "or of the fact that an asset is
16
declared under section 52B to be a system of national significance".
17
54 Subsection 46(3)
18
Omit "subsection 51(3) or 52(4)", substitute "a notification provision".
19
54A Section 47
20
Omit "Except where it is necessary to do so for the purposes of giving
21
effect to this Act, an entity is not", substitute "(1) An entity is not
22
(subject to subsection (2))".
23
54B At the end of section 47
24
Add:
25
(2) Subsection (1) does not prevent an entity from being required to
26
disclose protected information, or to produce a document
27
containing protected information, if it is necessary to do so for the
28
purposes of giving effect to:
29
(a) this Act; or
30
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
125
(b) the
Inspector-General of Intelligence and Security Act 1986
,
1
or any other Act that confers functions, powers or duties on
2
the Inspector-General of Intelligence and Security; or
3
(c) a legislative instrument made under an Act mentioned in
4
paragraph (a) or (b).
5
55 At the end of section 48
6
Add:
7
Infringement notices may be given under Part 5 of the Regulatory
8
Powers Act for alleged contraventions of certain provisions of this
9
Act.
10
A provision is subject to monitoring under Part 2 of the Regulatory
11
Powers Act if it is:
12
(a)
an offence against section 35AT or 45 of this Act; or
13
(b)
a civil penalty provision of this Act.
14
A provision is subject to investigation under Part 3 of the
15
Regulatory Powers Act if it is:
16
(a)
an offence against section 35AT or 45 of this Act; or
17
(b)
a civil penalty provision of this Act.
18
56 Subsections 49(2) and (3)
19
Repeal the subsections, substitute:
20
Authorised applicant
21
(2) For the purposes of Part 4 of the Regulatory Powers Act, as that
22
Part applies in relation to a civil penalty provision of this Act, each
23
of the following persons is an authorised applicant:
24
(a) the Secretary;
25
(b) a person who is appointed under subsection (3).
26
(3) The Secretary may, by writing, appoint a person who:
27
(a) is the chief executive officer (however described) of a
28
relevant Commonwealth regulator; or
29
(b) is an SES employee, or an acting SES employee, in:
30
Schedule 1
Security of critical infrastructure
Part 1
General amendments
126
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(i) the Department; or
1
(ii) a relevant Commonwealth regulator; or
2
(c) holds, or is acting in, a position in a relevant Commonwealth
3
regulator that is equivalent to, or higher than, a position
4
occupied by an SES employee;
5
to be an authorised applicant for the purposes of Part 4 of the
6
Regulatory Powers Act, as that Part applies in relation to a civil
7
penalty provision of this Act.
8
Note:
The expressions
SES employee
and
acting SES employee
are defined
9
in section 2B of the
Acts Interpretation Act 1901
.
10
Authorised person
11
(3A) For the purposes of Parts 6 and 7 of the Regulatory Powers Act, as
12
those Parts apply in relation to a civil penalty provision of this Act,
13
each of the following persons is an authorised applicant:
14
(a) the Secretary;
15
(b) a person who is appointed under subsection (3B).
16
(3B) The Secretary may, by writing, appoint a person who:
17
(a) is the chief executive officer (however described) of a
18
relevant Commonwealth regulator; or
19
(b) is an SES employee, or an acting SES employee, in:
20
(i) the Department; or
21
(ii) a relevant Commonwealth regulator; or
22
(c) holds, or is acting in, a position in a relevant Commonwealth
23
regulator that is equivalent to, or higher than, a position
24
occupied by an SES employee;
25
to be an authorised applicant for the purposes of Parts 6 and 7 of
26
the Regulatory Powers Act, as those Parts apply in relation to a
27
civil penalty provision of this Act.
28
Note:
The expressions
SES employee
and
acting SES employee
are defined
29
in section 2B of the
Acts Interpretation Act 1901
.
30
57 At the end of Part 5
31
Add:
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
127
Division 3--Monitoring and investigation powers
1
49A Monitoring powers
2
Provisions subject to monitoring
3
(1) A provision is subject to monitoring under Part 2 of the Regulatory
4
Powers Act if it is:
5
(a) an offence against section 35AT or 45; or
6
(b) a civil penalty provision of this Act.
7
Note:
Part 2 of the Regulatory Powers Act creates a framework for
8
monitoring whether the provisions have been complied with. It
9
includes powers of entry and inspection.
10
Information subject to monitoring
11
(2) Information given in compliance or purported compliance with a
12
provision of this Act is subject to monitoring under Part 2 of the
13
Regulatory Powers Act.
14
Note:
Part 2 of the Regulatory Powers Act creates a framework for
15
monitoring whether the information is correct. It includes powers of
16
entry and inspection.
17
Authorised applicant
18
(3) For the purposes of Part 2 of the Regulatory Powers Act, a person
19
who is appointed under subsection (4) is an authorised applicant in
20
relation to the provisions mentioned in subsection (1) and
21
information mentioned in subsection (2).
22
(4) The Secretary may, by writing, appoint a person who:
23
(a) is an SES employee, or an acting SES employee, in:
24
(i) the Department; or
25
(ii) a relevant Commonwealth regulator; or
26
(b) holds, or is acting in, a position in a relevant Commonwealth
27
regulator that is equivalent to, or higher than, a position
28
occupied by an SES employee;
29
to be an authorised applicant in relation to the provisions
30
mentioned in subsection (1) and information mentioned in
31
subsection (2).
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
128
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Note:
The expressions
SES employee
and
acting SES employee
are defined
1
in section 2B of the
Acts Interpretation Act 1901
.
2
Authorised person
3
(5) For the purposes of Part 2 of the Regulatory Powers Act, a person
4
who is appointed under subsection (6) is an authorised person in
5
relation to the provisions mentioned in subsection (1) and
6
information mentioned in subsection (2).
7
(6) The Secretary may, by writing, appoint a person who is:
8
(a) an APS employee in:
9
(i) the Department; or
10
(ii) a relevant Commonwealth regulator; or
11
(b) an officer or employee of a relevant Commonwealth
12
regulator;
13
to be an authorised person in relation to the provisions mentioned
14
in subsection (1) and information mentioned in subsection (2).
15
Issuing officer
16
(7) For the purposes of Part 2 of the Regulatory Powers Act, a
17
magistrate is an issuing officer in relation to the provisions
18
mentioned in subsection (1) and information mentioned in
19
subsection (2).
20
Relevant chief executive
21
(8) For the purposes of Part 2 of the Regulatory Powers Act, the
22
Secretary is the relevant chief executive in relation to the
23
provisions mentioned in subsection (1) and information mentioned
24
in subsection (2).
25
(9) The relevant chief executive may, in writing, delegate the powers
26
and functions mentioned in subsection (10) to a person who is an
27
SES employee, or an acting SES employee, in the Department.
28
Note:
The expressions
SES employee
and
acting SES employee
are defined
29
in section 2B of the
Acts Interpretation Act 1901
.
30
(10) The powers and functions that may be delegated are:
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
129
(a) powers under Part 2 of the Regulatory Powers Act in relation
1
to the provisions mentioned in subsection (1) and information
2
mentioned in subsection (2); and
3
(b) powers and functions under the Regulatory Powers Act that
4
are incidental to a power mentioned in paragraph (a).
5
(11) A person exercising powers or performing functions under a
6
delegation under subsection (9) must comply with any directions of
7
the relevant chief executive.
8
Relevant court
9
(12) For the purposes of Part 2 of the Regulatory Powers Act, each of
10
the following courts is a relevant court
in relation to the provisions
11
mentioned in subsection (1) and information mentioned in
12
subsection (2):
13
(a) the Federal Court of Australia;
14
(b) the Federal Circuit Court of Australia; and
15
(c) a court of a State or Territory that has jurisdiction in relation
16
to matters arising under this Act.
17
Premises
18
(13) An authorised person must not enter premises under Part 2 of the
19
Regulatory Powers Act, as it applies in relation to the provisions
20
mentioned in subsection (1) and information mentioned in
21
subsection (2), if the premises are used solely or primarily as a
22
residence.
23
Person assisting
24
(14) An authorised person may be assisted by other persons in
25
exercising powers, or performing functions or duties, under Part 2
26
of the Regulatory Powers Act in relation to the provisions
27
mentioned in subsection (1) and information mentioned in
28
subsection (2).
29
External Territories
30
(15) Part 2 of the Regulatory Powers Act, as it applies in relation to
the
31
provisions mentioned in subsection (1) and information mentioned
32
in subsection (2), extends to every external Territory
.
33
Schedule 1
Security of critical infrastructure
Part 1
General amendments
130
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
49B Investigation powers
1
Provisions subject to investigation
2
(1) A provision is subject to investigation under Part 3 of the
3
Regulatory Powers Act if it is:
4
(a) an offence against section 35AT or 45; or
5
(b) a civil penalty provision of this Act.
6
Authorised applicant
7
(2) For the purposes of Part 3 of the Regulatory Powers Act, a person
8
who is appointed under subsection (3) is an authorised applicant in
9
relation to evidential material that relates to a provision mentioned
10
in subsection (1).
11
(3) The Secretary may, by writing, appoint a person who:
12
(a) is an SES employee, or an acting SES employee, in:
13
(i) the Department; or
14
(ii) a relevant Commonwealth regulator; or
15
(b) holds, or is acting in, a position in a relevant Commonwealth
16
regulator that is equivalent to, or higher than, a position
17
occupied by an SES employee;
18
to be an authorised applicant in relation to evidential material that
19
relates to a provision mentioned in subsection (1).
20
Note:
The expressions
SES employee
and
acting SES employee
are defined
21
in section 2B of the
Acts Interpretation Act 1901
.
22
Authorised person
23
(4) For the purposes of Part 3 of the Regulatory Powers Act, a person
24
who is appointed under subsection (5) is an authorised person in
25
relation to evidential material that relates to a provision mentioned
26
in subsection (1).
27
(5) The Secretary may, by writing, appoint a person who is:
28
(a) an APS employee in:
29
(i) the Department; or
30
(ii) a relevant Commonwealth regulator; or
31
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
131
(b) an officer or employee of a relevant Commonwealth
1
regulator;
2
to be an authorised person in relation to evidential material that
3
relates to a provision mentioned in subsection (1).
4
Issuing officer
5
(6) For the purposes of Part 3 of the Regulatory Powers Act, a
6
magistrate is an issuing officer in relation to evidential material
7
that relates to a provision mentioned in subsection (1).
8
Relevant chief executive
9
(7) For the purposes of Part 3 of the Regulatory Powers Act, the
10
Secretary is the relevant chief executive in relation to evidential
11
material that relates to a provision mentioned in subsection (1).
12
(8) The relevant chief executive may, in writing, delegate the powers
13
and functions mentioned in subsection (9) to a person who is an
14
SES employee or an acting SES employee in the Department.
15
Note:
The expressions
SES employee
and
acting SES employee
are defined
16
in section 2B of the
Acts Interpretation Act 1901
.
17
(9) The powers and functions that may be delegated are:
18
(a) powers under Part 3 of the Regulatory Powers Act in relation
19
to evidential material that relates to a provision mentioned in
20
subsection (1); and
21
(b) powers and functions under the Regulatory Powers Act that
22
are incidental to a power mentioned in paragraph (a).
23
(10) A person exercising powers or performing functions under a
24
delegation under subsection (8) must comply with any directions of
25
the relevant chief executive.
26
Relevant court
27
(11) For the purposes of Part 3 of the Regulatory Powers Act, each of
28
the following courts is a relevant court
in relation to evidential
29
material that relates to a provision mentioned in subsection (1):
30
(a) the Federal Court of Australia;
31
(b) the Federal Circuit Court of Australia;
32
Schedule 1
Security of critical infrastructure
Part 1
General amendments
132
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(c) a court of a State or Territory that has jurisdiction in relation
1
to matters arising under this Act.
2
Person assisting
3
(12) An authorised person may be assisted by other persons in
4
exercising powers, or performing functions or duties, under Part 3
5
of the Regulatory Powers Act in relation to evidential material that
6
relates to a provision mentioned in subsection (1).
7
External Territories
8
(13) Part 3 of the Regulatory Powers Act, as it applies in relation to the
9
provisions mentioned in subsection (1), extends to every external
10
Territory.
11
Division 4--Infringement notices
12
49C Infringement notices
13
Provisions subject to an infringement notice
14
(1) A civil penalty provision of this Act is subject to an infringement
15
notice under Part 5 of the Regulatory Powers Act.
16
Note:
Part 5 of the Regulatory Powers Act creates a framework for using
17
infringement notices in relation to provisions.
18
Infringement officer
19
(2) For the purposes of Part 5 of the Regulatory Powers Act, a person
20
authorised under subsection (3) is an infringement officer in
21
relation to the provisions mentioned in subsection (1).
22
(3) The Secretary may, by writing, authorise a person who:
23
(a) is an SES employee, or an acting SES employee, in:
24
(i) the Department; or
25
(ii) a relevant Commonwealth regulator; or
26
(b) holds, or is acting in, a position in a relevant Commonwealth
27
regulator that is equivalent to, or higher than, a position
28
occupied by an SES employee;
29
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
133
to be an infringement officer in relation to the provisions
1
mentioned in subsection (1).
2
Note:
The expressions
SES employee
and
acting SES employee
are defined
3
in section 2B of the
Acts Interpretation Act 1901
.
4
Relevant chief executive
5
(4) For the purposes of Part 5 of the Regulatory Powers Act,
the
6
Secretary is the relevant chief executive in relation to the
7
provisions mentioned in subsection (1).
8
(5) The relevant chief executive may, in writing, delegate any or all of
9
the relevant chief executive's powers and functions under Part 5 of
10
the Regulatory Powers Act to a person who is an SES employee or
11
an acting SES employee in the Department.
12
Note:
The expressions
SES employee
and
acting SES employee
are defined
13
in section 2B of the
Acts Interpretation Act 1901
.
14
(6) A person exercising powers or performing functions under a
15
delegation under subsection (5) must comply with any directions of
16
the relevant chief executive.
17
External Territories
18
(7) Part 5 of the Regulatory Powers Act, as it applies in relation to the
19
provisions mentioned in subsection (1), extends to every external
20
Territory.
21
58 Paragraphs 51(1)(b) and (c)
22
Repeal the paragraphs, substitute:
23
(b) the asset relates to a critical infrastructure sector; and
24
(c) the Minister is satisfied that the asset is critical to:
25
(i) the social or economic stability of Australia or its
26
people; or
27
(ii) the defence of Australia; or
28
(iii) national security; and
29
(d) there would be a risk to:
30
(i) the social or economic stability of Australia or its
31
people; or
32
(ii) the defence of Australia; or
33
Schedule 1
Security of critical infrastructure
Part 1
General amendments
134
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(iii) national security;
1
if it were publically known that the asset is a critical
2
infrastructure asset.
3
59 Subsection 51(1) (note 1)
4
Repeal the note.
5
60 Subsection 51(1) (note 2)
6
Omit "Note 2", substitute "Note".
7
61 After subsection 51(2)
8
Insert:
9
(2A) The declaration may do any or all of the following:
10
(a) determine that Part 2 applies to the asset;
11
(b) determine that Part 2A applies to the asset;
12
(c) determine that Part 2B applies to the asset.
13
62 Paragraph 51(3)(b)
14
Repeal the paragraph, substitute:
15
(b) if the asset is a tangible asset located (wholly or partly) in a
16
State, the Australian Capital Territory or the Northern
17
Territory--the First Minister of the State, the Australian
18
Capital Territory or the Northern Territory, as the case
19
requires.
20
63 Subsection 51(4)
21
Repeal the subsection.
22
64 After section 51
23
Insert:
24
51A Consultation--declaration
25
(1) Before making a declaration under section 51 that specifies an
26
entity as the responsible entity for an asset, the Minister must give
27
the entity a notice:
28
(a) setting out the proposed declaration; and
29
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
135
(b) inviting the entity to make submissions to the Minister about
1
the proposed declaration within:
2
(i) 28 days after the notice is given; or
3
(ii) if a shorter period is specified in the notice--that shorter
4
period.
5
(2) The Minister must consider any submissions received within:
6
(a) the 28-day period mentioned in subparagraph (1)(b)(i); or
7
(b) if a shorter period is specified in the notice--that shorter
8
period.
9
(3) The Minister must not specify a shorter period in the notice unless
10
the Minister is satisfied that the shorter period is necessary due to
11
urgent circumstances.
12
(4) The notice must set out the reasons for making the declaration,
13
unless the Minister is satisfied that doing so would be prejudicial to
14
security.
15
65 Subsection 52(5)
16
Repeal the subsection.
17
66 After Part 6
18
Insert:
19
Part 6A--Declaration of systems of national
20
significance by the Minister
21
Division 1--Simplified outline of this Part
22
52A Simplified outline of this Part
23
The Minister may privately declare a critical infrastructure asset to
24
be a system of national significance.
25
The Minister must notify each reporting entity for an asset that is a
26
declared system of national significance.
27
Schedule 1
Security of critical infrastructure
Part 1
General amendments
136
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
If a reporting entity for an asset that is a declared system of
1
national significance ceases to be such a reporting entity, or
2
becomes aware of another reporting entity for the asset, the entity
3
must notify the Secretary.
4
Note:
It is an offence to disclose that an asset has been declared a system of
5
national significance (see section 45).
6
Division 2--Declaration of systems of national significance
7
by the Minister
8
52B Declaration of systems of national significance by the Minister
9
(1) The Minister may, in writing, declare a particular asset to be a
10
system of national significance if:
11
(a) the asset is a critical infrastructure asset; and
12
(b) the Minister is satisfied that the asset is of national
13
significance.
14
(2) In determining whether an asset is of national significance for the
15
purposes of subsection (1), the Minister must have regard to:
16
(a) the consequences that would arise for:
17
(i) the social or economic stability of Australia or its
18
people; or
19
(ii) the defence of Australia; or
20
(iii) national security;
21
if a hazard were to occur that had a significant relevant
22
impact on the asset; and
23
(b) if the Minister is aware of one or more interdependencies
24
between the asset and one or more other critical infrastructure
25
assets--the nature and extent of those interdependencies; and
26
(c) such other matters (if any) as the Minister considers relevant.
27
(3) The Minister must notify the following of the declaration, in
28
writing, within 30 days after making the declaration in relation to
29
an asset:
30
(a) each reporting entity for the asset;
31
(b) if the asset is a tangible asset located (wholly or partly) in a
32
State, the Australian Capital Territory or the Northern
33
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
137
Territory--the First Minister of the State, the Australian
1
Capital Territory or the Northern Territory, as the case
2
requires.
3
(4) A declaration under subsection (1) is not a legislative instrument.
4
(5) To avoid doubt, an asset may be the subject of a declaration under
5
subsection (1) even if the asset is not a system.
6
52C Consultation--declaration
7
(1) Before making a declaration under section 52B in relation to an
8
asset, the Minister must give the responsible entity for the asset a
9
notice:
10
(a) setting out the proposed declaration; and
11
(b) inviting the entity to make submissions to the Minister about
12
the proposed declaration within:
13
(i) 28 days after the notice is given; or
14
(ii) if a shorter period is specified in the notice--that shorter
15
period.
16
(2) The Minister must consider any submissions received within:
17
(a) the 28-day period mentioned in subparagraph (1)(b)(i); or
18
(b) if a shorter period is specified in the notice--that shorter
19
period.
20
(3) The Minister must not specify a shorter period in the notice unless
21
the Minister is satisfied that the shorter period is necessary due to
22
urgent circumstances.
23
(4) The notice must set out the reasons for making the declaration,
24
unless the Minister is satisfied that doing so would be prejudicial to
25
security.
26
52D Notification of change to reporting entities for asset
27
Scope
28
(1) This section applies if a reporting entity (the
first entity
) for an
29
asset declared under subsection 52B(1) to be a system of national
30
significance:
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
138
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(a) ceases to be a reporting entity for the asset; or
1
(b) becomes aware of another reporting entity for the asset
2
(whether or not as a result of the first entity ceasing to be a
3
reporting entity).
4
Notification
5
(2) The first entity must, within 30 days, notify the Secretary of the
6
following:
7
(a) the fact in paragraph (1)(a) or (b) (as the case requires);
8
(b) if another entity is a reporting entity for the asset--the name
9
of each other entity and the address of each other entity's
10
head office or principal place of business (to the extent
11
known by the first entity).
12
Civil penalty:
150 penalty units.
13
(3) The first entity must use the entity's best endeavours to determine
14
the name and relevant address of any other entity for the purposes
15
of paragraph (2)(b).
16
(4) If the Secretary is notified of another entity under paragraph (2)(b),
17
the Secretary must notify the other entity of the declaration under
18
subsection 52B(1), in writing, within 30 days after being notified
19
under that paragraph.
20
52E Review of declaration
21
Scope
22
(1) This section applies if an asset is declared under subsection 52B(1)
23
to be a system of national significance.
24
Request
25
(2) The responsible entity for the asset may, by written notice given to
26
the Secretary, request the Secretary to review whether the asset is
27
of national significance.
28
Requirement
29
(3) The Secretary must, within 60 days after the request is given:
30
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
139
(a) review whether the asset is of national significance; and
1
(b) give the Minister:
2
(i) a report of the review; and
3
(ii) a statement setting out the Secretary's findings.
4
(4) The review must be undertaken in consultation with the
5
responsible entity for the asset.
6
(5) In reviewing whether the asset is of national significance, the
7
Secretary must have regard to:
8
(a) the consequences that would arise for:
9
(i) the social or economic stability of Australia or its
10
people; or
11
(ii) the defence of Australia; or
12
(iii) national security;
13
if a hazard were to occur that had a significant relevant
14
impact on the asset; and
15
(b) if the Secretary is aware of one or more interdependencies
16
between the asset and one or more other critical infrastructure
17
assets--the nature and extent of those interdependencies; and
18
(c) such other matters (if any) as the Secretary considers
19
relevant.
20
Limit
21
(6) The responsible entity for the asset must not make more than one
22
request under subsection (2) in relation to the asset during a
23
12-month period.
24
52F Revocation of determination
25
Scope
26
(1) This section applies if:
27
(a) a declaration under subsection 52B(1) is in force in relation
28
to an asset; and
29
(b) the Minister is no longer satisfied that the asset is of national
30
significance.
31
Schedule 1
Security of critical infrastructure
Part 1
General amendments
140
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Duty to revoke declaration
1
(2) The Minister must, in writing, revoke the declaration.
2
Revocation is not a legislative instrument
3
(3) A revocation of the declaration is not a legislative instrument.
4
Application of Acts Interpretation Act 1901
5
(4) This section does not, by implication, affect the application of
6
subsection 33(3) of the
Acts Interpretation Act 1901
to an
7
instrument made under a provision of this Act.
8
67 Subsection 59(1)
9
After "this Act", insert "(other than Part 3A)".
10
68 Division 4 of Part 7 (at the end of the heading)
11
Add "
etc.
".
12
69 At the end of subsection 60(2)
13
Add:
14
; and (f) the number of annual reports given under section 30AG
15
during the financial year; and
16
(g) the number of annual reports given under section 30AG
17
during the financial year that included a statement to the
18
effect that a critical infrastructure risk management program
19
was up to date at the end of the financial year; and
20
(h) the number of cyber security incidents reported during the
21
financial year under section 30BC; and
22
(i) the number of cyber security incidents reported during the
23
financial year under 30BD; and
24
(j) the number of notices given to entities under section 30CB
25
during the financial year; and
26
(k) the number of notices given to entities under section 30CM
27
during the financial year; and
28
(l) the number of notices given to entities under section 30CU
29
during the financial year; and
30
(m) the number of notices given to entities under Division 5 of
31
Part 2C during the financial year; and
32
Security of critical infrastructure
Schedule 1
General amendments
Part 1
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
141
(n) the number of Ministerial authorisations given under
1
section 35AB during the financial year; and
2
(o) the number of Ministerial authorisations given under
3
paragraph 35AB(2)(a) or (b) during the financial year; and
4
(p) the number of Ministerial authorisations given under
5
paragraph 35AB(2)(c) or (d) during the financial year; and
6
(q) the number of Ministerial authorisations given under
7
paragraph 35AB(2)(e) or (f) during the financial year; and
8
(r) the number of declarations of assets as systems of national
9
significance that were made under section 52B during the
10
financial year.
11
70 After section 60
12
Insert:
13
60AA Compensation for acquisition of property
14
(1) If the operation of this Act would result in an acquisition of
15
property (within the meaning of paragraph 51(xxxi) of the
16
Constitution) from an entity otherwise than on just terms (within
17
the meaning of that paragraph), the Commonwealth is liable to pay
18
a reasonable amount of compensation to the entity.
19
(2) If the Commonwealth and the entity do not agree on the amount of
20
the compensation, the entity may institute proceedings in:
21
(a) the Federal Court of Australia; or
22
(b) the Supreme Court of a State or Territory;
23
for the recovery from the Commonwealth of such reasonable
24
amount of compensation as the court determines.
25
60AB Service of notices, directions and instruments by electronic
26
means
27
Paragraphs 9(1)(d) and (2)(d) of the
Electronic Transactions Act
28
1999
do not apply to a notice, direction or instrument under:
29
(a) this Act; or
30
(b) the rules; or
31
(c) the Regulatory Powers Act, so far as that Act relates to this
32
Act.
33
Schedule 1
Security of critical infrastructure
Part 1
General amendments
142
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Note:
Paragraphs 9(1)(d) and (2)(d) of the
Electronic Transactions Act 1999
1
deal with the consent of the recipient of information to the information
2
being given by way of electronic communication.
3
Security of critical infrastructure
Schedule 1
Application provisions
Part 2
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
143
Part 2--Application provisions
1
71 Application
--subsections 9(3) and (4) of the
Security of
2
Critical Infrastructure Act 2018
3
The amendments of subsections 9(3) and (4) of the
Security of Critical
4
Infrastructure Act 2018
made by this Schedule apply in relation to rules
5
made after the commencement of this item.
6
72 Application
--section 51 of the
Security of Critical
7
Infrastructure Act 2018
8
The amendments of section 51 of the
Security of Critical Infrastructure
9
Act 2018
made by this Schedule apply in relation to a declaration made
10
after the commencement of this item.
11
Schedule 1
Security of critical infrastructure
Part 3
Amendments contingent on the commencement of the Federal Circuit and
Family Court of Australia Act 2020
144
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Part 3--Amendments contingent on the
1
commencement of the Federal Circuit and
2
Family Court of Australia Act 2020
3
Security of Critical Infrastructure Act 2018
4
73 Paragraphs 49A(12)(b) and 49B(11)(b)
5
Omit "Federal Circuit Court of Australia", substitute "Federal Circuit
6
and Family Court of Australia (Division 2)".
7
Security of critical infrastructure
Schedule 1
Amendments contingent on the commencement of the National Emergency Declaration
Act 2020
Part 4
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
145
Part 4--Amendments contingent on the
1
commencement of the National Emergency
2
Declaration Act 2020
3
National Emergency Declaration Act 2020
4
74 Section 10 (after paragraph (za) of the definition of
5
national emergency law
)
6
Insert:
7
(zaa) section 35AB of the
Security of Critical Infrastructure Act
8
2018
;
9
Security of Critical Infrastructure Act 2018
10
75 After subsection 35AB(1)
11
Insert:
12
(1A) This section also applies if the Minister is satisfied that:
13
(a) a cyber security incident:
14
(i) has occurred; or
15
(ii) is occurring; or
16
(iii) is imminent; and
17
(b) the incident has had, is having, or is likely to have, a relevant
18
impact on a critical infrastructure asset (the
primary asset
);
19
and
20
(c) the incident relates to an emergency specified in a national
21
emergency declaration (within the meaning of the
National
22
Emergency Declaration Act 2020
) that is in force; and
23
(d) no existing regulatory system of the Commonwealth, a State
24
or a Territory could be used to provide a practical and
25
effective response to the incident.
26
Schedule 2
Australian Signals Directorate
146
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
Schedule 2--Australian Signals Directorate
1
2
Criminal Code Act 1995
3
1 Subsection 476.4(2) of the
Criminal Code
4
Omit "section 476.5", substitute "sections 476.5 and 476.6".
5
2 Section 476.5 of the
Criminal Code
(at the end of the
6
heading)
7
Add "
--ASIS and AGO
".
8
3 Subsection 476.5(1) of the
Criminal Code
9
Omit "ASIS, AGO or ASD", substitute "ASIS or AGO".
10
4 Subsection 476.5(3) of the
Criminal Code
(definition of
11
ASD
)
12
Repeal the definition.
13
5 Subsection 476.5(3) of the
Criminal Code
(paragraph (b) of
14
the definition of
staff member
)
15
Repeal the paragraph.
16
6 At the end of Division 476 of the
Criminal Code
17
Add:
18
476.6 Liability for certain acts--ASD
19
(1) A staff member or agent of ASD is not subject to any civil or
20
criminal liability for engaging in conduct inside or outside
21
Australia if:
22
(a) the conduct is engaged in on the reasonable belief that it is
23
likely to cause a computer-related act, event, circumstance or
24
result to take place outside Australia (whether or not it in fact
25
takes place outside Australia); and
26
(b) the conduct is engaged in in the proper performance of a
27
function of ASD.
28
Australian Signals Directorate
Schedule 2
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
147
(2) A person is not subject to any civil or criminal liability for
1
engaging in conduct inside or outside Australia if:
2
(a) the conduct is preparatory to, in support of, or otherwise
3
directly connected with, overseas activities of ASD; and
4
(b) the conduct:
5
(i) taken together with a computer-related act, event,
6
circumstance or result that took place, or was intended
7
to take place, outside Australia, could amount to an
8
offence; but
9
(ii) in the absence of that computer-related act, event,
10
circumstance or result, would not amount to an offence;
11
and
12
(c) the conduct is engaged in in the proper performance of a
13
function of ASD.
14
(3) Subsection (2) is not intended to permit any conduct in relation to
15
premises, persons, computers, things, or carriage services in
16
Australia, being:
17
(a) conduct which ASIO could not engage in without a Minister
18
authorising it by warrant issued under Division 2 of Part III
19
of the
Australian Security Intelligence Organisation Act 1979
20
or under Part 2-2 of the
Telecommunications (Interception
21
and Access) Act 1979
; or
22
(b) conduct engaged in to obtain information that ASIO could
23
not obtain other than in accordance with Division 3 of
24
Part 4-1 of the
Telecommunications (Interception and
25
Access) Act 1979
.
26
(4) Subsections (1) and (2) have effect despite anything in a law of the
27
Commonwealth or of a State or Territory, whether passed or made
28
before or after the commencement of this subsection, unless the
29
law expressly provides otherwise.
30
(5) Subsection (4) does not affect the operation of subsection (3).
31
Certificate
32
(6) The Inspector-General of Intelligence and Security may give a
33
certificate in writing certifying any fact relevant to the question of
34
whether conduct was engaged in in the proper performance of a
35
function of ASD.
36
Schedule 2
Australian Signals Directorate
148
Security Legislation Amendment (Critical Infrastructure) Bill 2020
No. , 2020
(7) In any proceedings, a certificate given under subsection (6) is
1
prima facie evidence of the facts certified.
2
Notice to Inspector-General of Intelligence and Security
3
(8) If:
4
(a) a person engages in conduct referred to in subsection (1) or
5
(2) in relation to ASD; and
6
(b) the conduct causes material damage, material interference or
7
material obstruction to a computer (within the meaning of
8
section 22 of the
Australian Security Intelligence
9
Organisation Act 1979
) in Australia; and
10
(c) apart from this section, the person would commit an offence
11
against this Part;
12
then the agency head (within the meaning of the
Intelligence
13
Services Act 2001
) of ASD must, as soon as practicable, give a
14
written notice to the Inspector-General of Intelligence and Security
15
that:
16
(d) informs the Inspector-General of Intelligence and Security of
17
that fact; and
18
(e) provides details about the conduct that caused the damage,
19
interference or obstruction to the computer.
20
(9) This section has effect in addition to, and does not limit, section 14
21
of the
Intelligence Services Act 2001
.
22
Definitions
23
(10) In this section:
24
ASD
means the Australian Signals Directorate.
25
civil or criminal liability
means any civil or criminal liability
26
(whether under this Part, under another law or otherwise).
27
computer-related act, event, circumstance or result
means an act,
28
event, circumstance or result involving:
29
(a) the reliability, security or operation of a computer; or
30
(b) access to, or modification of, data held in a computer or on a
31
data storage device; or
32
(c) electronic communication to or from a computer; or
33
Australian Signals Directorate
Schedule 2
No. , 2020
Security Legislation Amendment (Critical Infrastructure) Bill 2020
149
(d) the reliability, security or operation of any data held in or on
1
a computer, computer disk, credit card, or other data storage
2
device; or
3
(e) possession or control of data held in a computer or on a data
4
storage device; or
5
(f) producing, supplying or obtaining data held in a computer or
6
on a data storage device.
7
staff member
, in relation to ASD, means:
8
(a) the Director-General of ASD; or
9
(b) a member of the staff of ASD (whether an employee of ASD,
10
a consultant or contractor to ASD, or a person who is made
11
available by another Commonwealth or State authority or
12
other person to perform services for ASD).
13
7 Application of amendments
14
The amendments made by this Schedule apply in relation to conduct
15
engaged in after the commencement of this Schedule.
16